Unit 42 @unit42_intel - Twitter Profile

about 6 hours ago

Unit 42 provides indicators of activity and mitigations for PAN-OS CVE-2026-0257, an authentication bypass in GlobalProtect. https://t.co/fKkirRgJVm

Unit42_Intel's tweet photo. Unit 42 provides indicators of activity and mitigations for PAN-OS CVE-2026-0257, an authentication bypass in GlobalProtect. https://t.co/fKkirRgJVm https://t.co/OjMvlLapPk

0

25

5

3

2K

Unit 42 @Unit42_Intel

about 7 hours ago

We detected an evasive #ClickFix injection with a fake Lirunex payment platform lure tricking the user into requesting the SSL certificate path through a file dialog box but silently delivers a RAT disguised as image files. Details at https://t.co/3gOKYWrMLz

Unit42_Intel's tweet photo. We detected an evasive #ClickFix injection with a fake Lirunex payment platform lure tricking the user into requesting the SSL certificate path through a file dialog box but silently delivers a RAT disguised as image files. Details at https://t.co/3gOKYWrMLz https://t.co/eWk175TzMh

0

30

11

2K

Unit 42 @Unit42_Intel

1 day ago

FlutterShell is a new macOS backdoor spread by malvertising. Built with Flutter, it uses a WebView-based architecture for adware, allowing attackers to remain dynamic. We discuss its evolution, variants and command structure in a recent campaign. https://t.co/7dUEPypRIn

Unit42_Intel's tweet photo. FlutterShell is a new macOS backdoor spread by malvertising. Built with Flutter, it uses a WebView-based architecture for adware, allowing attackers to remain dynamic. We discuss its evolution, variants and command structure in a recent campaign. https://t.co/7dUEPypRIn https://t.co/lzgmomLDiE

0

55

14

20

4K

Unit 42 @Unit42_Intel

2 days ago

We are tracking Pink (CL-CRI-1147), a new Com-affiliated extortion brand whose leak site went live 5/31/26. Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims: https://t.co/gyaGA1iG1S

0

66

21

30

7K

Who to follow

CISA Cyber

@CISACyber

Part of @CISAgov, we respond to major incidents, analyze threats, and exchange critical cybersecurity information with partners around the world.

proxylife

@pr0xylife

DFIR | Malware Hunter | @Cryptolaemus1

ATT&CK

@MITREattack

MITRE ATT&CK® - A knowledge base for describing the behavior of adversaries. Replying/Following/Re-tweeting ≠ endorsement. @ https://t.co/wt46ArkZVt

Unit 42 @Unit42_Intel

3 days ago

An update to our Threat Brief on npm supply chain attacks discusses the latest compromise, pushing a payload named Miasma. The tradecraft used substantially matches Mini Shai-Hulud malware used by TeamPCP. Read now: https://t.co/ktpqy8loGB

Unit42_Intel's tweet photo. An update to our Threat Brief on npm supply chain attacks discusses the latest compromise, pushing a payload named Miasma. The tradecraft used substantially matches Mini Shai-Hulud malware used by TeamPCP. Read now: https://t.co/ktpqy8loGB https://t.co/YxSu8Om8e1

0

34

13

12

4K

Unit 42 @Unit42_Intel

3 days ago

An #adware campaign involving 50+ Chrome extensions (disguised as live wallpapers) has hit ~30K users. Spread across three publisher accounts, the attackers are pushing remote HTML to 40+ extensions and wiping IndexedDB on install and startup. Details at https://t.co/yihnkqJ3tj

Unit42_Intel's tweet photo. An #adware campaign involving 50+ Chrome extensions (disguised as live wallpapers) has hit ~30K users. Spread across three publisher accounts, the attackers are pushing remote HTML to 40+ extensions and wiping IndexedDB on install and startup. Details at https://t.co/yihnkqJ3tj https://t.co/u2V8UmLzWM

1

99

34

53

10K

Unit 42 @Unit42_Intel

7 days ago

We detected indirect prompt injection on a fake Excel template store. Hidden via white text, the prompt uses social engineering to manipulate AI agents into boosting SEO, aiming to funnel users to a malicious Chrome extension. Details at https://t.co/04V75Odz81

Unit42_Intel's tweet photo. We detected indirect prompt injection on a fake Excel template store. Hidden via white text, the prompt uses social engineering to manipulate AI agents into boosting SEO, aiming to funnel users to a malicious Chrome extension. Details at https://t.co/04V75Odz81 https://t.co/VVDinZHWzy

2

125

31

47

19K

Unit 42 @Unit42_Intel

7 days ago

New analysis reveals a massive network of fraudulent domains capitalizing on the 2026 FIFA World Cup, with 1k+ registered in the past 6 months. Tactics include redirects to shady gambling apps, data harvesting, malvertising, and PUP downloads. Details at https://t.co/Lw0gpfN7SS

Unit42_Intel's tweet photo. New analysis reveals a massive network of fraudulent domains capitalizing on the 2026 FIFA World Cup, with 1k+ registered in the past 6 months. Tactics include redirects to shady gambling apps, data harvesting, malvertising, and PUP downloads. Details at https://t.co/Lw0gpfN7SS https://t.co/cYmINLfkqx

0

19

6

9

4K

Unit 42 @Unit42_Intel

8 days ago

#TuxBot v3 Evolution: IoT malware/C2 framework tied to AISURU/Keksec. Self-ID "Akiru." 30-plus exploit targets, 1,496 credential pairs, encrypted C2, and DGA. Developers used an LLM to port exploits and write code, leaving traces in some files. Details at https://t.co/7mIjUcEG3y

Unit42_Intel's tweet photo. #TuxBot v3 Evolution: IoT malware/C2 framework tied to AISURU/Keksec. Self-ID "Akiru." 30-plus exploit targets, 1,496 credential pairs, encrypted C2, and DGA. Developers used an LLM to port exploits and write code, leaving traces in some files. Details at https://t.co/7mIjUcEG3y https://t.co/vOXDFloLTk

1

89

28

45

8K

Unit 42 @Unit42_Intel

9 days ago

2026-05-26 (Tuesday): Another page impersonating Claude was used to push #SHubStealer when viewed on a macOS host. Details at https://t.co/WcaIiQCdd6

Unit42_Intel's tweet photo. 2026-05-26 (Tuesday): Another page impersonating Claude was used to push #SHubStealer when viewed on a macOS host. Details at https://t.co/WcaIiQCdd6 https://t.co/v7At9jpInv

2

131

31

54

15K

Unit 42 @Unit42_Intel

12 days ago

Offensive and defensive framework ROADtools is being misused by nation-state actors for cloud attacks. Understand how to identify the activity that signals its malicious usage, including proactive hunting for anomalous activity: https://t.co/bq50zF1tFV

Unit42_Intel's tweet photo. Offensive and defensive framework ROADtools is being misused by nation-state actors for cloud attacks. Understand how to identify the activity that signals its malicious usage, including proactive hunting for anomalous activity: https://t.co/bq50zF1tFV https://t.co/rIgNdQX2xa

0

96

32

69

31K

Unit42_Intel retweeted

CNN

@CNN

14 days ago

Iranian hackers have posed as job recruiters to target software engineers in the aviation sector as part of an elaborate espionage scheme during the US and Israeli war with Iran, cybersecurity researchers tell CNN. https://t.co/44rfkGFPHS

95

283

120

25

126K

Unit 42 @Unit42_Intel

14 days ago

Users attempting to download open-source C++ IDE are hijacked via malicious CloudFront JS on-click, redirecting to fake MEGA-Transfer pages delivering #RemusStealer. Details at https://t.co/B9QBHn2xz0

Unit42_Intel's tweet photo. Users attempting to download open-source C++ IDE are hijacked via malicious CloudFront JS on-click, redirecting to fake MEGA-Transfer pages delivering #RemusStealer. Details at https://t.co/B9QBHn2xz0 https://t.co/67Q8qag6ot

2

70

26

21

6K

Unit 42 @Unit42_Intel

14 days ago

A single threat actor uses multiple identities to run dozens of #AI-accelerated fake VPN Chrome extensions. All traffic routes through 15 SOCKS5 proxies, with some impersonating major VPN service providers. Details at https://t.co/HqhvzZSZaV

Unit42_Intel's tweet photo. A single threat actor uses multiple identities to run dozens of #AI-accelerated fake VPN Chrome extensions. All traffic routes through 15 SOCKS5 proxies, with some impersonating major VPN service providers. Details at https://t.co/HqhvzZSZaV https://t.co/BpAhuWVGoE

0

63

19

25

8K

Unit 42 @Unit42_Intel

14 days ago

Iran-nexus APT Screening Serpens (aka UNC1549, Smoke Sandstorm) is deploying novel RAT variants in espionage campaigns targeting entities in the U.S., Israel and the UAE. These campaigns use AppDomainManager hijacking. Read our analysis for details: https://t.co/xTD398oRnx

Unit42_Intel's tweet photo. Iran-nexus APT Screening Serpens (aka UNC1549, Smoke Sandstorm) is deploying novel RAT variants in espionage campaigns targeting entities in the U.S., Israel and the UAE. These campaigns use AppDomainManager hijacking. Read our analysis for details: https://t.co/xTD398oRnx https://t.co/hf5Fj1wtm3

0

62

20

23

4K

Unit 42 @Unit42_Intel

16 days ago

We identified 4,000 samples of TamperedChef malware hiding in trojanized productivity apps. These campaigns use code signing to bypass security filters. The malware can remain dormant for days before stealing data. Read our analysis: https://t.co/IPCfRixbTh

Unit42_Intel's tweet photo. We identified 4,000 samples of TamperedChef malware hiding in trojanized productivity apps. These campaigns use code signing to bypass security filters. The malware can remain dormant for days before stealing data. Read our analysis: https://t.co/IPCfRixbTh https://t.co/qkwxxrM0td

2

77

21

30

7K

Unit 42 @Unit42_Intel

16 days ago

2026-05-20 (Tuesday): Pages impersonating Claude and Homebrew continue to distribute malware like #MacSync stealer by employing a #ClickFix-style social engineering technique. Details at https://t.co/cTU26X3LhU

Unit42_Intel's tweet photo. 2026-05-20 (Tuesday): Pages impersonating Claude and Homebrew continue to distribute malware like #MacSync stealer by employing a #ClickFix-style social engineering technique. Details at https://t.co/cTU26X3LhU https://t.co/q85sibsuyP

3

92

22

42

9K

Unit 42 @Unit42_Intel

17 days ago

The latest Gremlin stealer variants employ multiple layers of obfuscation such as identifier renaming and string encryption. These methods remove context and hide intentions from static analysis tools. Read our analysis for technical insights: https://t.co/krEkZ8fND8

Unit42_Intel's tweet photo. The latest Gremlin stealer variants employ multiple layers of obfuscation such as identifier renaming and string encryption. These methods remove context and hide intentions from static analysis tools. Read our analysis for technical insights: https://t.co/krEkZ8fND8 https://t.co/uF8KqKxsEu

1

30

12

7

4K

Unit 42 @Unit42_Intel

21 days ago

LinkedIn Search leads to #CastleLoader delivering #AsyncRAT. Attackers use Clickfix lures with fake verification popups to mask PowerShell activity. The loader decrypts the payload via RC4, using the first 64 bytes as a key to bypass filters. Details: https://t.co/0t5xZQFNgk

0

136

30

67

12K

Unit 42 @Unit42_Intel

22 days ago

Active Directory Certificate Services is a high impact vector for privilege escalation. Adversaries misuse built-in features to impersonate accounts and establish persistence. Our research provides a deep dive into these methods. Read our analysis: https://t.co/24jLSrMp7j

Unit42_Intel's tweet photo. Active Directory Certificate Services is a high impact vector for privilege escalation. Adversaries misuse built-in features to impersonate accounts and establish persistence. Our research provides a deep dive into these methods. Read our analysis: https://t.co/24jLSrMp7j https://t.co/Nzyl228g8k

0

48

13

24

5K

Unit 42

@Unit42_Intel

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users