Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

Boggy Serpens Threat Assessment

Boggy Serpens Threat Assessment

On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption....

Nation-State Cyberattacks

Threat Actor Groups

Threat Research

Advanced Persistent Threat

C2

Mar 16, 2026

Cybercrime, Threat Actor Groups, Muddled Libra, PowerShell, Scattered Spider, UNC3944, virtual machines

A Peek Into Muddled Libra’s Operational Playbook

Feb 10, 2026

By Justin De Luna, Noah Rincon, Cuong Dinh

Cloud Cybersecurity Research, Threat Research, API, IAM, MITRE, Muddled Libra, Silk Typhoon

Novel Technique to Detect Cloud Threat Actor Operations

Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The...

Feb 06, 2026

By Nathaniel Quist

Nation-State Cyberattacks, Threat Actor Groups, Espionage, Government, phishing, TGR-STA-1030

The Shadow Campaigns: Uncovering Global Espionage

This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. W...

Feb 05, 2026

By Unit 42

Cloud Cybersecurity Research, DNS, Threat Research, Microsoft Azure, networking

DNS OverDoS: Are Private Endpoints Too Private?

We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentio...

Jan 20, 2026

By Golan Myers

Ransomware, Threat Actor Groups, Threat Research, ESXi, Jolly Scorpius, RansomHouse

From Linear to Complex: An Upgrade in RansomHouse Encryption

Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.

Dec 17, 2025

By Anmol Maurya, Jingwen Shi

Malware, Threat Actor Groups, Ashen Lepus, Espionage, WIRTE

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities Wit...

In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speakin...

Dec 11, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, control plane, Curious Serpens, data plane, logging, Microsoft Azure, pentest tool

Cloud Discovery With AzureHound

AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerat...

Oct 24, 2025

By Margaret Kelley, Bill Batchelor, Eyal Rafian

Cloud Cybersecurity Research, Cybercrime, Threat Research, CL‑CRI‑1032, Microsoft, phishing, smishing

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoin...

Oct 22, 2025

By Stav Setty, Shachar Roitman

Hospitality Hacks and Retail Reality Checks, Insights, Threat Actor Groups, Bling Libra, Extortion, Lapsus$, Muddled Libra, Retail, Scattered Spider, ShinyHunters

The Golden Scale: Bling Libra and the Evolving Extortion Economy

Oct 10, 2025

By Matt Brady

Cloud Cybersecurity Research, General, Insights, Cloud Infrastructure Protection, Cloud Security, Unit 42 Incident Response Report

Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...

Cloud incidents like ransomware attacks and account compromise can bring operations to a h...

Oct 07, 2025

By Margaret Kelley

Malware, Threat Actor Groups, China, CL-STA-0043, Phantom Taurus, TGR-STA-0043

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests....

Sep 30, 2025

By Lior Rochberger

Malware, Threat Actor Groups, Bookworm, Stately Taurus

Bookworm to Stately Taurus Using the Unit 42 Attribution Framework

Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities...

Sep 24, 2025

By Kyle Wilhoit

Cloud Cybersecurity Research, Threat Research, Azure, GenAI, Google, Microsoft, supply chain

Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trus...

BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain condit...

Sep 03, 2025

By Itay Saraf, Ofir Balassiano

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Academic Serpens, Agent Serpens, Agonizing Serpens, Alloy Taurus, Ambitious Scorpius, Bashful Scorpius

Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, ...

This article lists selected threat actors tracked by Palo Al...

Aug 01, 2025

By Unit 42

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Bookworm, nomenclature, Stately Taurus

Introducing Unit 42’s Attribution Framework

Threat actor attribution has traditionally been considered more art than science, often re...

Jul 31, 2025

By Andy Piazza, Kyle Wilhoit, Robert Falcone, David Fuertes

Business Email Compromise, Cybercrime, Malware, Threat Actor Groups, Trend Reports, Agent Serpens, Agentic AI, ClickFix, Credential Harvesting, Lumma Stealer

2025 Unit 42 Global Incident Response Report: Social Engineering Edition

We see social engineering evolving into one of the most reli...

Jul 30, 2025

By Unit 42

Load more

Load more

Get the latest news, invites to events, and threat alerts

Get the latest news, invites to events, and threat alerts

By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement and Terms of Use.