The IT Nerd

After a nearly three-year investigation, Unit 42 has identified a previously unknown Chinese state-sponsored threat actor we’ve named Phantom Taurus. This isn’t just another threat actor; their methods, tools, and relentless persistence place them in a new top tier of global threats.

What makes Phantom Taurus significant?

• Unique and Sophisticated: They operate with entirely unique tactics and a custom arsenal of previously undocumented malware, setting them apart from all other known Chinese APTs. 
• Dual-Mission Focus: They are surgically targeting both high-level geopolitical intelligence and entities (embassies, foreign ministries, diplomats) and critical telecommunications infrastructure. 
• Unprecedented Persistence: This is what truly sets them apart. When most threat actors are discovered, they retreat for weeks or months. Phantom Taurus regroups and re-enters target networks within hours or days. Their mission is so critical they are willing to risk exposure to maintain access.
• They Go for the Jugular: Instead of common phishing attacks, they meticulously research their targets and bypass users to directly compromise critical infrastructure to steal entire mailboxes or gain a persistent foothold for data collection.

This group is well-resourced, geopolitically aware, and poses a formidable, ongoing threat with a primary geographic focus on Africa, the Middle East, and Asia.

Here is the full, in-depth report detailing their custom tools, malware, and tactics: http://unit42.paloaltonetworks.com/phantom-taurus. 

According to researchers, threat actors are distributing fake Chrome extensions posing as AI tools to hijack prompts in the Chrome search bar and then redirect queries to attacker-controlled domains and track search activity.

More info via this Github link from Palo Alto Networks:  https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-24-IOCs-for-AI-prompt-hijacker-extensions.txt

Davit Asatryan, VP of Research at Spin.AI, commented:

“Malicious AI-themed extensions show how attackers are quick to exploit hype to bypass user trust and enterprise defenses. What many don’t realize is that browser extensions can act like shadow IT, silently harvesting sensitive data. Organizations should treat extensions as part of their attack surface and implement continuous risk monitoring to prevent these threats before they spread.”

This underlines the fact that there are dangers with anything that gets onto your computer. Which means that you should always be wary of what you install regardless of what it is.

Today, Palo Alto Networks announced Prisma^® SASE 4.0, the industry’s most advanced AI-driven secure access service edge (SASE) solution. It sets a new standard with innovations in Prisma Browser that neutralize sophisticated web threats in real-time directly within the browser, where legacy solutions have critical blind spots. It’s designed to intercept and neutralize encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.

The browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional. As more critical applications and data reside within the browser, traditional consumer-grade browsers are no longer sufficient for businesses as they lack the necessary security controls to protect against the increasing number of cyberattacks. With Prisma SASE 4.0, Prisma Browser’s new in-browser advanced web protection identifies and neutralizes malware in real-time before it can do harm. This provides a critical layer of defense that other solutions miss.

In addition, Prisma SASE 4.0 delivers new capabilities designed to secure the modern workforce, including:

• Unprecedented Data Security powered by AI: Prisma SASE 4.0 offers a unified, frictionless data security approach, essential for protecting against the growing risks posed by AI agents, copilots, and plugins directly accessing corporate data. It uses AI-augmented classification to automatically and precisely classify sensitive information across all formats, including unstructured content and data in use – achieving 10x fewer false positives than traditional methods. It includes over 140 pre-trained machine learning classifiers and customizable models to secure critical assets like patents, contracts and source code.
• Smarter, Faster Protection with Private App Security: Private applications are the engine of many businesses and are prime targets for cyberattacks. Older static rule-based web application firewalls (WAF) are simply no match for threats custom-built for dynamic applications. Palo Alto Networks’ new Private App Security automatically adapts to shield these essential applications and constantly updates security policies for applications.

Palo Alto Networks continues to demonstrate market leadership and disruptive innovation in SASE, with SASE ARR reaching $1.3 billion in fiscal year 2025, growing 35% year-over-year—more than twice the rate of the overall market. For three consecutive years, Palo Alto Networks has been named a Leader in the Gartner^® Magic Quadrant™ for SASE Platforms for Prisma SASE. In addition, Palo Alto Networks has been named a Leader for three consecutive years in the Magic Quadrant for Security Service Edge, and five times in the Magic Quadrant for SD-WAN. With over 6,300 SASE customers, including one-third of the Fortune 500, this single-vendor platform simplifies operations and provides a clear path to scale, with adoption of the Prisma Browser surpassing 6 million licensed seats.

These innovations and other key SASE features will be generally available later this year. To learn more, read the blog.

Palo Alto Networks today announced two new security solutions to help organizations confidently navigate the evolving quantum landscape, and to keep pace with highly dynamic cloud and AI environments. These innovations provide enterprises with the visibility, agility and robust defenses needed to accelerate their quantum readiness and secure their workloads in a multicloud world.

The innovations cover the entire quantum readiness lifecycle and mark Palo Alto Networks network security platform as the industry’s first to automatically discover, deploy, and scale security for dynamic multicloud and AI environments.

All Palo Alto Networks network security customers will automatically benefit from:

• Accelerated Quantum Readiness. The new Quantum Readiness Dashboard provides complete visibility into cryptographic posture, and the industry’s first Cipher Translation automatically upgrades applications to be quantum-safe. 14 new 5th-generation NGFWs are also optimized for post-quantum cryptography.
• Simplified Cloud Network Security. Includes a new Cloud Network and AI Risk Assessment for continuous risk identification, and new automatic deployment of firewalls and Prisma AIRS instances to secure a multicloud networking mesh. Management is centralized in the updated Strata Cloud Manager, automating security deployment to scale protection on demand.
• Expanded Use of Precision AI capabilities for expanded device, DNS, and CDSS security. 

These innovations and other key features will be available through a software upgrade to PAN-OS 12.1 Orion. To learn more about PAN-OS 12.1 Orion and Palo Alto Networks next-generation security solutions, read the blog.

Researchers have observed the JavaGhost threat actor group using phishing to targeting AWS environments. This group takes advantage of misconfigurations in the victim organizations’ environments that expose AWS credentials in the form of long-term access keys. More info from Palo Alto’s Unit 42 is available here:  https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt had this to say:

“Cyber threat actors with sophisticated technical skills and solid business sense now know that maintaining persistence within enterprises using back doors with command and control capabilities is getting more difficult to sustain, due to improvements in endpoint monitoring and network-level behavioral analysis that comes with cybersecurity product maturity. As a byproduct, threat actors are doing what they do best: adjusting their tactics. 

Threat actors know that compromising credentials is most effective to both penetrate enterprise cyber defenses and to operate within an enterprise to escalate privilege and obtain access to digital assets to monetize in various ways. Obtaining cloud-based credentials used in identity access management (IAM) services for IaaS providers offers sophisticated threat actors an opportunity to gain access to digital assets, while minimizing the probability of detection. 

This news represents an acknowledgement by threat actors that cloud and IaaS account compromise continues to offer profitable opportunities for exploitation. Enterprises and the tech industry should look for different ways to more effectively manage IaaS and SaaS account configuration and management. The on-boarding of accounts for cloud-based services represents today a weakness that will continue to be exploited by sophisticated threat actors. Many enterprises struggle with the onboarding (registration, configuration) of cloud accounts due to backlogs for the many types of cloud accounts essential for meeting service levels for enterprise users. Enterprises need to get more creative in addressing the backlog and provide faster, more responsive onboarding for these accounts. Many established and mature IAM practices and processes were designed for managing access to systems within a proprietary data center. Providing effective IAM management for cloud accounts is a struggle for many enterprises that threat actors like JavaGhost are taking advantage of.” 

Roger Grimes, data-driven defense evangelist at KnowBe4 follows with this:

“This is another example of how not doing the basics better can hurt you. When clouds really took over a decade ago, “experts’ worried about all the new cloud-specific attacks we would see and become accustomed to. But what has proven true over time is that the same things that plague us in on-premise environments for over 2-3 decades are still what plagues us in cloud environments. In this case, overly permissive permissions and social engineering. Social engineering is responsible for 70% – 90% of successful attacks. Overly permissive permissions is also a top threat (but surpassed also by vulnerability exploits and stolen credentials). 

If you want to keep hackers and their malware creations out, concentrate on the long-time basics, not just as part of everything you are doing, but primarily what you are doing. If you’re not stopping social engineering, exploits against unpatched vulnerabilities, credential theft (79% of the time through social engineering), and misconfigurations, of which overly permissive permissions is one type, then you aren’t going to stop hackers. The only difference now is you need to learn how to do it in both on-premises and cloud environments. But the threats are the same.”

If your organization has any exposure to AWS, I’d set aside some time to read this report. Specifically the protections and mitigations section which should help to make you safer.

Palo Alto Networks Unit 42 released its 2025 Global Incident Response Report, revealing that 86% of major cyber incidents in 2024 resulted in operational downtime, reputational damage or financial loss.

The report (based on 500 major cyber incidents that Unit 42 responded to across 38 countries and every major industry) highlights a new trend: financially motivated attackers have shifted their focus to deliberate operational disruption, prioritizing sabotage – destroying systems, locking customers out and causing prolonged downtime – to maximize impact and pressure organizations into paying extortion demands.

The 2025 Global Incident Response Report highlights several trends:

• Cyberattacks Are Moving Faster than Ever
• The Rise of Insider Threats 
• Multipronged Attacks Are the New Norm
• Phishing Makes a Comeback
• Cloud Attacks Are Increasing
• AI Is Accelerating the Attack Lifecycle 

The speed, sophistication and scale of attacks have reached unprecedented levels with AI-assisted threats and multipronged intrusions, underscoring that organizations faced an increasingly volatile threat landscape in 2024.

To see the results from this year’s report, please visit the accompanying blog as well as the full report.

Palo Alto Networks is doubling down on cloud security with the introduction of Cortex^® Cloud, the next version of Prisma Cloud, that natively brings together new releases of its best-in-class cloud detection and response (CDR) and industry-leading cloud native application protection platform (CNAPP) capabilities on the unified Cortex platform. The new solution, announced today, equips security teams with significant innovations powered by AI and automation that go beyond traditional “peace time” approaches to cloud security and stop attacks in real-time.

Unit 42^® reports reveal that 80% of security exposures were found in cloud attack surfaces, with a 66% increase in threats targeting cloud environments. As cloud adoption and AI usage grow, Cortex Cloud unifies data, automates workflows, and applies AI-driven insights to reduce risk, prevent threats, and stop attacks in real time. Cortex Cloud is designed to ingest and analyze data from third-party tools to provide centralized visibility, AI-driven insights and end-to-end remediation across the entire cloud security ecosystem.

Cortex Cloud delivers on Palo Alto Networks platformization strategy by rearchitecting its cloud security solution on the AI-driven Cortex SecOps platform to deliver a powerful unified user experience with persona-driven dashboards and workflows. Cortex Cloud helps customers achieve superior protection at a significantly lower total cost of ownership and provides additional value and new features including:

• Application security: Build secure apps and prevent issues in development before they become production issues that attackers can target. Cortex Cloud identifies and prioritizes issues across the entire development pipeline with end-to-end context across code, runtime, cloud and newly introduced third-party scanners.

• Cloud posture: Improve multi-cloud risk management with new AI-powered prioritization, guided fixes to resolve multiple risks with a single action, and automated remediation. Additionally, Cortex Cloud delivers a single user experience with tight integration across all of Prisma Cloud’s cloud posture capabilities.
• Cloud runtime: Stop attacks in real time. Cortex Cloud natively integrates the unified Cortex XDR agent, enriched with additional cloud data sources, to prevent threats with advanced analytics – as proven by industry-leading results in the most recent MITRE ATT&CK testing. Our new Cloud Runtime Security offering includes the world’s leading CNAPP capabilities at no additional cost, maximizing adoption of end-to-end cloud security on a single platform.
• SOC: The preferred SOC platform for enterprise and cloud, expanding beyond what any SIEM can deliver. Cortex Cloud natively integrates cloud data, context and workflows within Cortex XSIAM to significantly reduce the mean time to respond (MTTR) to modern threats with a single, unified SecOps solution.

Customer Delivery

Existing Prisma Cloud customers will experience a seamless upgrade to Cortex Cloud, and will now experience the power of streamlined, real-time cloud security. Existing Cortex XSIAM customers who add Cortex Cloud gain the ability to seamlessly adopt CNAPP capabilities that are native-by-design on the world’s most complete AI-powered, enterprise-to-cloud SecOps platform. Cortex Cloud will be available to customers later in Q3 FY25.

Introducing Cortex Cloud Launch Partners

Eager to roll out the differentiated Cortex Cloud to customers are Palo Alto Networks’ esteemed integration partners: CyberCX, Deloitte, IBM and Orange Cyberdefense. Together with each partner, Palo Alto Networks will drive end-to-end SecOps transformation across enterprise and cloud environments, enabling organizations to achieve superior risk reduction, rapid threat prevention and streamlined operational efficiency.

To learn more about Cortex Cloud, the Cortex platform and how Palo Alto Networks is transforming cybersecurity through real-time security, read our blog and register for Cortex’s annual signature event, Symphony 2025.

Palo Alto Networks’ threat intelligence team, Unit 42, released research revealing that DeepSeek is concerningly vulnerable to jailbreaking and can produce nefarious content with little to no specialized knowledge or expertise.

The new research exposes the security risks of employees using unauthorized third-party LLMs and stresses the need to address these vulnerabilities when integrating open source LLMs into business processes. 

The research reveals: 

• High bypass/jailbreak rates, highlighting the potential risks of emerging attack vectors that can be used by malicious actors
• Jailbreak methods can elicit explicit guidance for malicious activities and could greatly accelerate their operations
• Malicious activities include creating keyloggers—software or hardware designed to record keystrokes on a computer or device—as well as stealing and exfiltrating data, demonstrating the security risks to businesses. 

In addition to the research, the team shared commentary from Sam Rubin, SVP of Consulting and Threat Intelligence of Unit 42, discussing the findings.

Unit 42’s DeepSeek jailbreaking research shows that we can’t always trust that LLMs will work as they intend — they are able to be manipulated. It’s important that companies consider these vulnerabilities when building open source LLMs into business processes. We have to assume that LLM guardrails can be broken and safeguards need to be built in at the organizational level.

And, as organizations look to leverage these models, we have to assume threat actors are doing the same—with the goal of accelerating the speed, scale, and sophistication of cyberattacks. We’ve seen evidence that nation state threat actors are leveraging OpenAI and Gemini to launch attacks, improve phishing lures, and write malware. We expect attacker capabilities will get more advanced as they refine their use of AI and LLMs and even begin to build AI attack agents. 

You can read the research here.

Recently, Palo Alto Networks released the 2024 Unit 42 Attack Surface Threat Report unveiling the biggest risks facing the growing attack surface and key recommendations for organizations to strengthen their security postures.

Key points from the report:

• Attack surface change inevitably leads to exposures: Across industries, attack surfaces are always in a state of flux.
  • On average, an organization’s attack surface has over 300 new services every month. 
  • These additions account for nearly 32% of new high or critical cloud exposures for organizations.
• Opportunities for lateral movement and data exfiltration are abundant: Just 3 categories of exposures – IT and Networking Infrastructure, Business Operations Applications, and Remote Access Services – account for 73% of high-risk exposures across the organizations
  • These can be exploited for lateral movement and data exfiltration.
• Critical IT and security services are dangerously exposed to the internet: Over 23% of exposures involve critical IT and security infrastructure, opening doors to opportunistic attacks.
  • These include vulnerabilities in application-layer protocols like SNMP, NetBIOS, PPTP, and internet-accessible administrative login pages of routers, firewalls, VPNs, and other core networking and security appliances.
• Industry Attack Surface Outlook
  • Analysis revealed that the media and entertainment industry experienced the highest rate of new services added, exceeding 7,000 per month. 
  • The telecommunications, insurance, pharma and life sciences sectors also faced substantial increases, with over 1,000 new services added to their attack surfaces. 
  • Critical industries such as financial services, healthcare, and manufacturing saw their attack surfaces add over 200 new services every month. 
  • For the past three years, Unit 42 analysis has consistently identified professional services, healthcare, high technology, finance, manufacturing, wholesale and retail as the top 6 industries to which we’ve provided IR services.

You can read the report here.