The IT Nerd

To help defenders protect their infrastructure, venues, suppliers, athletes and more, Unit 42 is releasing a new report, “Defending the 2026 Milan-Cortina Winter Games,” that details the top attackers, motives and tactics to prepare for ahead of the event, including steps organizations and local governments can take to protect themselves and the games.

The report builds on Unit 42’s prior work monitoring and preparing defenders for major events – including the 2024 Paris Olympics where authorities reported 140+ cyber incidents. The embargoed report (attached) shares highlights including:

• Threat actor types: Ransomware gangs, nation-state actors, and hacktivist groups
• Threat actors to watch: Muddled Libra, Insidious Taurus, and Salt Typhoon
• Tactics to guard against: Social engineering attacks, DDoS attacks, API vulnerabilities and more.
• Tips for defenders: Zero trust, runtime security, AI-driven automation and more.

You can read the report here: https://www.paloaltonetworks.com/resources/research/unit-42-cyber-vigilance-program/2026-winter-games-milano-cortina

VS Stealer, a Python-based information-stealing malware, is targeting Discord users to steal their data, including exfiltrating sensitive information like credentials and tokens stored in their accounts.

Unit 42 has more details here: https://unit42.paloaltonetworks.com/vvs-stealer/

Martin Jartelius, AI Product Director at Outpost24, provided the following comments:

“This is in line with the “malware as a service” elements we have seen over the years. The scope is relatively slim, and the Windows-based persistence mechanisms, such as copying itself to the Start Menu autostart locations, are very noisy and not indicative of a highly sophisticated actor. That said, the analysis is still interesting, as it shows an actor making malware commercially available while using commercially available security tools themselves. While everything the malware does is mainstream, and the techniques used are somewhat dated, it once again offers a glimpse into an established and growing criminal ecosystem.”

The Unit 42 report makes for interesting reading as it gives a lot of detail as to how a campaign like this works. It’s worth your time to have a look.

Today, Unit 42 released new analysis on vibe coding’s hidden security risks and threats. AI-assisted “vibe coding” has officially gone mainstream with 99% of organizations now using AI agents in software development (State of Cloud Security Report 2025). But while AI-assisted coding dramatically boosts speed and productivity, it is also generating insecure code faster than security teams can review or remediate it – introducing vulnerabilities, technical debt, and real-world breach risks at an unprecedented scale.

This is a serious problem and too many organizations are ignoring long-standing industry principles such as “least privilege,” sacrificing secure development standards for speed and functionality. To compound this, the rise of Citizen Developers who lack code review literacy is accelerating the deployment of insecure code and supply chain weaknesses are being introduced at worrying rates. 

To address this, Unit 42 is introducing the SHIELD framework to reintroduce secure design into AI-assisted coding.

Read the full analysis for more details.

Palo Alto Networks Unit 42 has posted new research called “Jingle Thief“—a campaign in which Morocco-based threat actors are exploiting Microsoft 365 environments to conduct large-scale gift card fraud against global retail enterprises. With the holiday shopping season approaching, these operations are expected to intensify in scale and frequency.

The research details a multi-stage campaign where attackers use phishing and smishing to infiltrate retail organizations, identify and compromise those with gift card administration privileges, and ultimately issue themselves massive quantities of gift cards. These actors employ sophisticated evasion techniques—including configuring inbox rules for silent exfiltration and deletion of sent messages—that have not been publicly detailed until now.

Key insights from the research include:

• A shift from endpoint-based intrusions to cloud-native, identity-driven attacks that leverage Microsoft 365 services.
• How these attackers exploit trusted environments such as SharePoint, OneDrive, and Entra ID to execute large-scale gift card fraud, and evade detection for months.
• Broader context on how financially motivated groups are adopting APT-level tactics, mirroring the persistence and stealth of nation-state actors.

You can read the research here.

After a nearly three-year investigation, Unit 42 has identified a previously unknown Chinese state-sponsored threat actor we’ve named Phantom Taurus. This isn’t just another threat actor; their methods, tools, and relentless persistence place them in a new top tier of global threats.

What makes Phantom Taurus significant?

• Unique and Sophisticated: They operate with entirely unique tactics and a custom arsenal of previously undocumented malware, setting them apart from all other known Chinese APTs. 
• Dual-Mission Focus: They are surgically targeting both high-level geopolitical intelligence and entities (embassies, foreign ministries, diplomats) and critical telecommunications infrastructure. 
• Unprecedented Persistence: This is what truly sets them apart. When most threat actors are discovered, they retreat for weeks or months. Phantom Taurus regroups and re-enters target networks within hours or days. Their mission is so critical they are willing to risk exposure to maintain access.
• They Go for the Jugular: Instead of common phishing attacks, they meticulously research their targets and bypass users to directly compromise critical infrastructure to steal entire mailboxes or gain a persistent foothold for data collection.

This group is well-resourced, geopolitically aware, and poses a formidable, ongoing threat with a primary geographic focus on Africa, the Middle East, and Asia.

Here is the full, in-depth report detailing their custom tools, malware, and tactics: http://unit42.paloaltonetworks.com/phantom-taurus. 

According to researchers, threat actors are distributing fake Chrome extensions posing as AI tools to hijack prompts in the Chrome search bar and then redirect queries to attacker-controlled domains and track search activity.

More info via this Github link from Palo Alto Networks:  https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-24-IOCs-for-AI-prompt-hijacker-extensions.txt

Davit Asatryan, VP of Research at Spin.AI, commented:

“Malicious AI-themed extensions show how attackers are quick to exploit hype to bypass user trust and enterprise defenses. What many don’t realize is that browser extensions can act like shadow IT, silently harvesting sensitive data. Organizations should treat extensions as part of their attack surface and implement continuous risk monitoring to prevent these threats before they spread.”

This underlines the fact that there are dangers with anything that gets onto your computer. Which means that you should always be wary of what you install regardless of what it is.

Today, Palo Alto Networks announced Prisma^® SASE 4.0, the industry’s most advanced AI-driven secure access service edge (SASE) solution. It sets a new standard with innovations in Prisma Browser that neutralize sophisticated web threats in real-time directly within the browser, where legacy solutions have critical blind spots. It’s designed to intercept and neutralize encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.

The browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional. As more critical applications and data reside within the browser, traditional consumer-grade browsers are no longer sufficient for businesses as they lack the necessary security controls to protect against the increasing number of cyberattacks. With Prisma SASE 4.0, Prisma Browser’s new in-browser advanced web protection identifies and neutralizes malware in real-time before it can do harm. This provides a critical layer of defense that other solutions miss.

In addition, Prisma SASE 4.0 delivers new capabilities designed to secure the modern workforce, including:

• Unprecedented Data Security powered by AI: Prisma SASE 4.0 offers a unified, frictionless data security approach, essential for protecting against the growing risks posed by AI agents, copilots, and plugins directly accessing corporate data. It uses AI-augmented classification to automatically and precisely classify sensitive information across all formats, including unstructured content and data in use – achieving 10x fewer false positives than traditional methods. It includes over 140 pre-trained machine learning classifiers and customizable models to secure critical assets like patents, contracts and source code.
• Smarter, Faster Protection with Private App Security: Private applications are the engine of many businesses and are prime targets for cyberattacks. Older static rule-based web application firewalls (WAF) are simply no match for threats custom-built for dynamic applications. Palo Alto Networks’ new Private App Security automatically adapts to shield these essential applications and constantly updates security policies for applications.

Palo Alto Networks continues to demonstrate market leadership and disruptive innovation in SASE, with SASE ARR reaching $1.3 billion in fiscal year 2025, growing 35% year-over-year—more than twice the rate of the overall market. For three consecutive years, Palo Alto Networks has been named a Leader in the Gartner^® Magic Quadrant™ for SASE Platforms for Prisma SASE. In addition, Palo Alto Networks has been named a Leader for three consecutive years in the Magic Quadrant for Security Service Edge, and five times in the Magic Quadrant for SD-WAN. With over 6,300 SASE customers, including one-third of the Fortune 500, this single-vendor platform simplifies operations and provides a clear path to scale, with adoption of the Prisma Browser surpassing 6 million licensed seats.

These innovations and other key SASE features will be generally available later this year. To learn more, read the blog.

Palo Alto Networks today announced two new security solutions to help organizations confidently navigate the evolving quantum landscape, and to keep pace with highly dynamic cloud and AI environments. These innovations provide enterprises with the visibility, agility and robust defenses needed to accelerate their quantum readiness and secure their workloads in a multicloud world.

The innovations cover the entire quantum readiness lifecycle and mark Palo Alto Networks network security platform as the industry’s first to automatically discover, deploy, and scale security for dynamic multicloud and AI environments.

All Palo Alto Networks network security customers will automatically benefit from:

• Accelerated Quantum Readiness. The new Quantum Readiness Dashboard provides complete visibility into cryptographic posture, and the industry’s first Cipher Translation automatically upgrades applications to be quantum-safe. 14 new 5th-generation NGFWs are also optimized for post-quantum cryptography.
• Simplified Cloud Network Security. Includes a new Cloud Network and AI Risk Assessment for continuous risk identification, and new automatic deployment of firewalls and Prisma AIRS instances to secure a multicloud networking mesh. Management is centralized in the updated Strata Cloud Manager, automating security deployment to scale protection on demand.
• Expanded Use of Precision AI capabilities for expanded device, DNS, and CDSS security. 

These innovations and other key features will be available through a software upgrade to PAN-OS 12.1 Orion. To learn more about PAN-OS 12.1 Orion and Palo Alto Networks next-generation security solutions, read the blog.

Researchers have observed the JavaGhost threat actor group using phishing to targeting AWS environments. This group takes advantage of misconfigurations in the victim organizations’ environments that expose AWS credentials in the form of long-term access keys. More info from Palo Alto’s Unit 42 is available here:  https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt had this to say:

“Cyber threat actors with sophisticated technical skills and solid business sense now know that maintaining persistence within enterprises using back doors with command and control capabilities is getting more difficult to sustain, due to improvements in endpoint monitoring and network-level behavioral analysis that comes with cybersecurity product maturity. As a byproduct, threat actors are doing what they do best: adjusting their tactics. 

Threat actors know that compromising credentials is most effective to both penetrate enterprise cyber defenses and to operate within an enterprise to escalate privilege and obtain access to digital assets to monetize in various ways. Obtaining cloud-based credentials used in identity access management (IAM) services for IaaS providers offers sophisticated threat actors an opportunity to gain access to digital assets, while minimizing the probability of detection. 

This news represents an acknowledgement by threat actors that cloud and IaaS account compromise continues to offer profitable opportunities for exploitation. Enterprises and the tech industry should look for different ways to more effectively manage IaaS and SaaS account configuration and management. The on-boarding of accounts for cloud-based services represents today a weakness that will continue to be exploited by sophisticated threat actors. Many enterprises struggle with the onboarding (registration, configuration) of cloud accounts due to backlogs for the many types of cloud accounts essential for meeting service levels for enterprise users. Enterprises need to get more creative in addressing the backlog and provide faster, more responsive onboarding for these accounts. Many established and mature IAM practices and processes were designed for managing access to systems within a proprietary data center. Providing effective IAM management for cloud accounts is a struggle for many enterprises that threat actors like JavaGhost are taking advantage of.” 

Roger Grimes, data-driven defense evangelist at KnowBe4 follows with this:

“This is another example of how not doing the basics better can hurt you. When clouds really took over a decade ago, “experts’ worried about all the new cloud-specific attacks we would see and become accustomed to. But what has proven true over time is that the same things that plague us in on-premise environments for over 2-3 decades are still what plagues us in cloud environments. In this case, overly permissive permissions and social engineering. Social engineering is responsible for 70% – 90% of successful attacks. Overly permissive permissions is also a top threat (but surpassed also by vulnerability exploits and stolen credentials). 

If you want to keep hackers and their malware creations out, concentrate on the long-time basics, not just as part of everything you are doing, but primarily what you are doing. If you’re not stopping social engineering, exploits against unpatched vulnerabilities, credential theft (79% of the time through social engineering), and misconfigurations, of which overly permissive permissions is one type, then you aren’t going to stop hackers. The only difference now is you need to learn how to do it in both on-premises and cloud environments. But the threats are the same.”

If your organization has any exposure to AWS, I’d set aside some time to read this report. Specifically the protections and mitigations section which should help to make you safer.

Palo Alto Networks Unit 42 released its 2025 Global Incident Response Report, revealing that 86% of major cyber incidents in 2024 resulted in operational downtime, reputational damage or financial loss.

The report (based on 500 major cyber incidents that Unit 42 responded to across 38 countries and every major industry) highlights a new trend: financially motivated attackers have shifted their focus to deliberate operational disruption, prioritizing sabotage – destroying systems, locking customers out and causing prolonged downtime – to maximize impact and pressure organizations into paying extortion demands.

The 2025 Global Incident Response Report highlights several trends:

• Cyberattacks Are Moving Faster than Ever
• The Rise of Insider Threats 
• Multipronged Attacks Are the New Norm
• Phishing Makes a Comeback
• Cloud Attacks Are Increasing
• AI Is Accelerating the Attack Lifecycle 

The speed, sophistication and scale of attacks have reached unprecedented levels with AI-assisted threats and multipronged intrusions, underscoring that organizations faced an increasingly volatile threat landscape in 2024.

To see the results from this year’s report, please visit the accompanying blog as well as the full report.