Below is an approachable summary of the most important new research published by Unit 42 in latest quarter. These insights highlight how cyber adversaries are evolving, where defenders should focus, and what makes each discovery significant to the wider security community. All kudos goes to the creators of the analysis research.
1. AdaptixC2 Used in Active Attacks
What happened
Unit 42 researchers identified the open source AdaptixC2 framework being used by real attackers. Although created for security testing, adversaries are now using it after they already gain access to a network to run commands, move files and quietly remove data. Because the tool is modular and freely available, it can be customized to avoid detection and blend in with legitimate activity.
Why it matters
Security teams can no longer assume that open source red-team tools are only used by professionals in controlled environments. The tools have found their way into criminal operations quickly and quietly.
Defensive focus
Pay close attention to suspicious command execution, unusual file transfers and any signs of lateral movement. Strong internal access controls remain essential.
Link to the analysis: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
2. Attackers Selling Victim Bandwidth Through SDK Abuse
What happened
Researchers uncovered a creative monetization method used by attackers. Instead of stealing data or deploying ransomware, they exploited a vulnerability in GeoServer to turn systems into proxy nodes. Compromised devices became part of a network where attackers sold victim bandwidth to others. This technique hides inside third-party software development kits, making it hard to spot.
Why it matters
Not every attack today focuses on encryption or data theft. Some attackers simply want to quietly profit by misusing your infrastructure.
Defensive focus
Audit any third-party SDKs, restrict network permissions and monitor for unexpected outbound traffic patterns or proxy-like behavior.
Link to the analysis: https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/
3. Code Assist AI Tools Targeted and Manipulated
What happened
Unit 42 examined the risks connected to modern code assistant tools powered by artificial intelligence. Threat actors have found ways to manipulate them through indirect prompt injection, meaning corrupted external data can trick the tool into writing insecure code or leaking sensitive information. This quietly creates backdoors or vulnerabilities without a developer noticing.
Why it matters
Software development has entered a new era. While AI speeds up coding, it also introduces new supply chain risks if not carefully monitored.
Defensive focus
Continue human code reviews, limit external AI plugin usage and regularly audit code generated or assisted by AI tools.
Link to the analysis: https://unit42.paloaltonetworks.com/code-assistant-llms/
4. Phantom Taurus APT and the NET STAR Malware Suite
What happened
Unit 42 exposed a new nation state threat actor known as Phantom Taurus, linked to interests aligned with China. Over the past two and a half years this group targeted diplomatic, telecommunications and government organizations across Africa, Asia and the Middle East. Their custom malware suite, named NET STAR, reveals a patient, highly capable and persistent adversary focused on long term access.
Why it matters
Advanced persistent threats continue to evolve new tools and techniques focused on strategic intelligence and long term footholds.
Defensive focus
Monitor for persistent access methods, custom malware signatures and unusual communication behavior, not just initial access attempts.
Link to the analysis: https://unit42.paloaltonetworks.com/phantom-taurus/
5. Large Scale Global Smishing Campaign
What happened
A group called the Smishing Triad launched a massive text message phishing campaign, initially targeting individuals in the United States and recently expanding worldwide. They spoof well known industries, including banks, healthcare and e-commerce services, using thousands of rapidly changing domains to trick victims into clicking malicious links and entering personal information.
Why it matters
SMS based social engineering has surged and organizations must treat text based scams with the same seriousness traditionally reserved for email phishing.
Defensive focus
Train users specifically on SMS scams, flag short-link abuse and monitor user account traffic for suspicious login activity following phishing attempts.
Link to the analysis: https://unit42.paloaltonetworks.com/global-smishing-campaign/
Summary
The last quarter demonstrated clear shifts across the cyber threat landscape. Adversaries are repurposing open source security tools, discovering new ways to profit through victim resources, exploring vulnerabilities in AI-assisted development tools and expanding global social engineering operations. Nation state actors remain persistent and strategic.
Security programs should focus not only on preventing intrusions, but also on detecting subtle post compromise techniques, validating development pipelines and educating users about evolving phishing channels beyond email.
Share this post:
Leave a Comment