Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite

In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speaking government entities. We track this Middle Eastern threat actor as Ashen Lepus (aka WIRTE).

Malware

Threat Actor Groups

Ashen Lepus

Espionage

WIRTE

Dec 11, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, control plane, Curious Serpens, data plane, logging, Microsoft Azure, pentest tool

Cloud Discovery With AzureHound

AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerat...

Oct 24, 2025

By Margaret Kelley, Bill Batchelor, Eyal Rafian

Cloud Cybersecurity Research, Cybercrime, Threat Research, CL‑CRI‑1032, Microsoft, phishing, smishing

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoin...

Oct 22, 2025

By Stav Setty, Shachar Roitman

Hospitality Hacks and Retail Reality Checks, Insights, Threat Actor Groups, Bling Libra, Extortion, Lapsus$, Muddled Libra, Retail, Scattered Spider, ShinyHunters

The Golden Scale: Bling Libra and the Evolving Extortion Economy

Oct 10, 2025

By Matt Brady

Cloud Cybersecurity Research, General, Insights, Cloud Infrastructure Protection, Cloud Security, Unit 42 Incident Response Report

Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...

Cloud incidents like ransomware attacks and account compromise can bring operations to a h...

Oct 07, 2025

By Margaret Kelley

Malware, Threat Actor Groups, China, CL-STA-0043, Phantom Taurus, TGR-STA-0043

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests....

Sep 30, 2025

By Lior Rochberger

Malware, Threat Actor Groups, Bookworm, Stately Taurus

Bookworm to Stately Taurus Using the Unit 42 Attribution Framework

Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities...

Sep 24, 2025

By Kyle Wilhoit

Cloud Cybersecurity Research, Threat Research, Azure, GenAI, Google, Microsoft, supply chain

Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trus...

BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain condit...

Sep 03, 2025

By Itay Saraf, Ofir Balassiano

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Academic Serpens, Agent Serpens, Agonizing Serpens, Alloy Taurus, Ambitious Scorpius, Bashful Scorpius

Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, ...

This article lists selected threat actors tracked by Palo Al...

Aug 01, 2025

By Unit 42

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Bookworm, nomenclature, Stately Taurus

Introducing Unit 42’s Attribution Framework

Threat actor attribution has traditionally been considered more art than science, often re...

Jul 31, 2025

By Andy Piazza, Kyle Wilhoit, Robert Falcone, David Fuertes

Business Email Compromise, Cybercrime, Malware, Threat Actor Groups, Trend Reports, Agent Serpens, Agentic AI, ClickFix, Credential Harvesting, Lumma Stealer

2025 Unit 42 Global Incident Response Report: Social Engineering Edition

We see social engineering evolving into one of the most reli...

Jul 30, 2025

By Unit 42

Malware, Threat Actor Groups, Threat Research, Vulnerabilities, Advanced Persistent Threat, backdoor, CL-STA-0969, GALLIUM, GoLang, Liminal Panda

The Covert Operator's Playbook: Infiltration of Global Telecom Networks

Unit 42 has observed multiple incidents targeting the telecommunications industry in South...

Jul 29, 2025

By Renzon Cruz, Nicolas Bareil, Navin Thomas

High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, BlackCat ransomware, MITRE, Muddled Libra, phishing, Scatter Swine

Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful

Unit 42 has tracked and responded to several waves of intrusion operations conducted by th...

Jul 25, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, AWS, Azure, Cloud, Container, control plane, data plane, GCP, incident response

Cloud Logging for Security and Beyond

This article aims to simplify cloud logging best practices for each major cloud service provider (CSP) while considering security, regulatory and busi...

Jul 22, 2025

By Margaret Kelley, Nicole Weaver