Prisma Cloud Security Research

Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy

Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities.

Malware

Threat Actor Groups

APT43

DPRK

FPSpy

G0086

Keylogger

Kimsuky

KLogExe

MITRE

Sep 26, 2024

By Daniel Frank, Lior Rochberger

Malware, Threat Actor Groups, AppleJeus, Citrine Sleet, Cryptocurrency, Gleaming Pisces, Linux, macOS, North Korea, PondRAT

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux an...

Unit 42 researchers have been tracking the activity of an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors via infected Python software packages. We’ve named these infected softwar...

Sep 18, 2024

By Yoav Zemah

Cybercrime, High Profile Threats, Ransomware, Threat Actor Groups, Threat Research, ALPHV, Ambitious Scorpius, Bashful Scorpius, BlackCat ransomware, Cicada3301

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomwar...

Repellent Scorpius is a new ransomware-as-a-service (RaaS) group that distributes Cicada3301 ransomware. The ransomware group appears to have first emerged in May 2024, with a multi-extortion operation.

Sep 10, 2024

By Navin Thomas, Jerome Tujague

Cybercrime, High Profile Threats, Malware, Nation-State Cyberattacks, Threat Actor Groups, Advanced Persistent Threat, Alluring Pisces, Andariel, Bluenoroff, Citrine Sleet

Threat Assessment: North Korean Threat Groups

Lazarus has been used in public reporting as an umbrella term for threat actors from the Democratic People's Republic of Korea (DPRK), commonly referred to as North Korea. However, many of these threat actors can be classified into differen...

Sep 09, 2024

By Unit 42

Malware, Threat Actor Groups, Advanced Persistent Threat, China, DLL Sideloading, Dropbox, Espionage, Government, Microsoft Visual Studio, Mimikatz

Chinese APT Abuses VSCode to Target Government in Asia

In the summer of 2018, Unit 42 released reporting regarding activity in the Middle East surrounding a cluster of activity using similar tactics, tools, and procedures (TTPs) in which we named the adversary group DarkHydrus. This group was o...

Sep 06, 2024

By Tom Fakterman

Cloud Cybersecurity Research, Ransomware, Threat Actor Groups, AWS, AWS credential stealing, Bling Libra, Extortion, MITRE, S3, ShinyHunters

Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunter...

In an incident response engagement handled by Unit 42, the threat actor group Bling Libra (the group behind the ShinyHunters ransomware) showcased their new shift to extorting victims rather than their traditio...

Aug 23, 2024

By Margaret Zimmermann, Chandni Vaya

Cloud Cybersecurity Research, Threat Research, AWS, credential theft, data exfiltration, ENV files, environment variable files, Exploit Kits, exposed environment files, Extortion

Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud...

Unit 42 researchers found an extortion campaign's cloud operation that successfully compromised and extorted multiple victim organizations. It did so by leveraging exposed environment variable files (.env files...

Aug 15, 2024

By Margaret Zimmermann, Sean Johnstone, William Gamazo, Nathaniel Quist

Cloud Cybersecurity Research, Threat Research, artifacts, AWS, GitHub, open source, Red Hat, Ubuntu

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artif...

In part 1 of this 2-part blog series, we discussed why the Havex Trojan is a significant and concerning industry milestone. Here, in part 2, we look at how you can mitigate your exposure through the combination...

Aug 13, 2024

By Yaron Avital

Malware, Nation-State Cyberattacks, Threat Actor Groups, Threat Research, Advanced Persistent Threat, APT28, Fancy Bear, Fighting Ursa, HeadLace, phishing

Fighting Ursa Luring Targets With Car for Sale

A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and...

Aug 02, 2024

By Unit 42

Cloud Cybersecurity Research, Threat Research, cloud infrastructure, Container, container escape, container security, Docker, Kubernetes

Container Breakouts: Escape Techniques in Cloud Environments

This article reviews container escape techniques, assesses their possible impact and reveals how to detect these escapes from the perspective of endpoint detection and response (EDR).

Jul 18, 2024

By Yosef Yaakov, Bar Ben-Michael

Cloud Cybersecurity Research, CVE-2024-6387, High Profile Threats, OpenSSH, RegreSSHion, Remote Code Execution, SSH, Vulnerabilities

Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability

On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387,...

Jul 02, 2024

By Unit 42

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Academic Serpens, Agent Serpens, Agonizing Serpens, Alloy Taurus, Ambitious Scorpius, Bashful Scorpius

Threat Actor Groups Tracked by Palo Alto Networks Unit 42

This article lists selected threat actors tracked by Palo Alto Networks Unit 42, using our specific designators for these groups. We've organized them in alphabetical order of their assigned constellation. The information presented here is...

Jun 27, 2024

By Unit 42

AWS, Azure, Cloud Cybersecurity Research, IaaS, Microsoft, Threat Research, Trend Reports, virtual machines

Attack Paths Into VMs in the Cloud

This post reviews strategies for identifying and mitigating potential attack vectors against virtual machine (VM) services in the cloud. Organizations can use this information to understand the potential risks associated with their VM services and strengthen their defen...

Jun 18, 2024

By Jay Chen

AWS, Azure, Cloud Research, Data Security, Data Security Posture Management, GCP

Are Cloud Serverless Functions Exposing Your Data?

More than 25% of all publicly accessible serverless functions have access to sensitive data, as seen in internal research. The question then becomes, Are cloud serverless functions exposing your data? — which is followed by How can we asses...

Jun 06, 2024

By Golan Myers

Cloud Research, KYC, LLM, Platform, Research, Threat Research

Understanding Three Real Threats of Generative AI

Generative AI is a technology that has caught the attention of both good and bad actors. At its heart, the term generative AI refers to types of artificial intelligence that can generate content including text, images, audio or other media.

May 23, 2024

By Kyle Wilhoit

Advanced Persistent Threat, backdoor, China, Diplomatic Specter, Gh0st Rat, Malware, Nation-State Cyberattacks, SweetSpecter, TGR-STA-0043, Threat Actor Groups

Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Lev...

A Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Afri...

May 23, 2024

By Lior Rochberger, Daniel Frank

AWS, Cloud Cybersecurity Research, High Profile Threats, Microsoft Azure, MITRE, Muddled Libra, Threat Actor Groups

Muddled Libra’s Evolution to the Cloud

Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. Organizations often store a variety of data in SaaS applications and use services from CSPs. Th...

Apr 09, 2024

By Margaret Zimmermann

Prisma Cloud Security Research

Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux an...

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomwar...

Threat Assessment: North Korean Threat Groups

Chinese APT Abuses VSCode to Target Government in Asia

Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunter...

Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud...

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artif...

Fighting Ursa Luring Targets With Car for Sale

Container Breakouts: Escape Techniques in Cloud Environments

Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability

Threat Actor Groups Tracked by Palo Alto Networks Unit 42

Attack Paths Into VMs in the Cloud

Are Cloud Serverless Functions Exposing Your Data?

Understanding Three Real Threats of Generative AI

Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Lev...

Muddled Libra’s Evolution to the Cloud

Get the latest news, invites to events, and threat alerts

Products and Services

Company

Popular Links