Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System

The offensive capabilities of large language models (LLMs) have until recently existed as theoretical risks – frequently discussed at security conferences and in conceptual industry reports, but rarely discovered in practical exploits. However, in November 2025, Anthropic published a pivotal report documenting a state-sponsored ...

Cloud Cybersecurity Research

Threat Research

Cloud

data exfiltration

GCP

Google Cloud

LLMs

multi-agent

penetration testing

Apr 23, 2026

By Yahav Festinger, Chen Doytshman

Malware, Threat Actor Groups, CL-STA-1048, CL-STA-1049, Stately Taurus, Trojan

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asi...

We uncovered a High severity security vulnerability CVE-2026-0628 in Google's implementation of the new Gemini feature in Chrome. This vulnerability a...

Mar 26, 2026

By Doel Santos, Hiroaki Hara

Cloud Cybersecurity Research, Threat Research, Google, google authenticator, Google Chrome, identity, passkey, passwordless

Google Cloud Authenticator: The Hidden Mechanisms of Passwordless Authentic...

Passwordless authentication is often presented as the end of account takeover. But to unde...

Mar 23, 2026

By Arie Olshtein

Cybercrime, Nation-State Cyberattacks, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Boggy Serpens, C2, LampoRAT, malware, MuddyWater

Boggy Serpens Threat Assessment

We have been tracking ongoing cyberespionage campaigns by the threat group Boggy Serpens, also known as MuddyWater. Attr...

Mar 16, 2026

By Unit 42

Cybercrime, Threat Actor Groups, Muddled Libra, PowerShell, Scattered Spider, UNC3944, virtual machines

A Peek Into Muddled Libra’s Operational Playbook

Feb 10, 2026

By Justin De Luna, Noah Rincon, Cuong Dinh

Cloud Cybersecurity Research, Threat Research, API, IAM, MITRE, Muddled Libra, Silk Typhoon

Novel Technique to Detect Cloud Threat Actor Operations

Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The...

Feb 06, 2026

By Nathaniel Quist

Nation-State Cyberattacks, Threat Actor Groups, Espionage, Government, phishing, TGR-STA-1030

The Shadow Campaigns: Uncovering Global Espionage

This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. W...

Feb 05, 2026

By Unit 42

Cloud Cybersecurity Research, DNS, Threat Research, Microsoft Azure, networking

DNS OverDoS: Are Private Endpoints Too Private?

We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentio...

Jan 20, 2026

By Golan Myers

Ransomware, Threat Actor Groups, Threat Research, ESXi, Jolly Scorpius, RansomHouse

From Linear to Complex: An Upgrade in RansomHouse Encryption

Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.

Dec 17, 2025

By Anmol Maurya, Jingwen Shi

Malware, Threat Actor Groups, Ashen Lepus, Espionage, WIRTE

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities Wit...

In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speakin...

Dec 11, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, control plane, Curious Serpens, data plane, logging, Microsoft Azure, pentest tool

Cloud Discovery With AzureHound

AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerat...

Oct 24, 2025

By Margaret Kelley, Bill Batchelor, Eyal Rafian

Cloud Cybersecurity Research, Cybercrime, Threat Research, CL‑CRI‑1032, Microsoft, phishing, smishing

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoin...

Oct 22, 2025

By Stav Setty, Shachar Roitman

Hospitality Hacks and Retail Reality Checks, Insights, Threat Actor Groups, Bling Libra, Extortion, Lapsus$, Muddled Libra, Retail, Scattered Spider, ShinyHunters

The Golden Scale: Bling Libra and the Evolving Extortion Economy

Oct 10, 2025

By Matt Brady

Cloud Cybersecurity Research, General, Insights, Cloud Infrastructure Protection, Cloud Security, Unit 42 Incident Response Report

Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...

Cloud incidents like ransomware attacks and account compromise can bring operations to a h...

Oct 07, 2025

By Margaret Kelley

Malware, Threat Actor Groups, China, CL-STA-0043, Phantom Taurus, TGR-STA-0043

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests....

Sep 30, 2025

By Lior Rochberger

Malware, Threat Actor Groups, Bookworm, Stately Taurus

Bookworm to Stately Taurus Using the Unit 42 Attribution Framework

Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities...

Sep 24, 2025

By Kyle Wilhoit

Cloud Cybersecurity Research, Threat Research, Azure, GenAI, Google, Microsoft, supply chain

Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trus...

BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain condit...

Sep 03, 2025

By Itay Saraf, Ofir Balassiano

Get the latest news, invites to events, and threat alerts

By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement and Terms of Use.

Cortex Cloud Security Research

Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asi...

Google Cloud Authenticator: The Hidden Mechanisms of Passwordless Authentic...

Boggy Serpens Threat Assessment

A Peek Into Muddled Libra’s Operational Playbook

Novel Technique to Detect Cloud Threat Actor Operations

The Shadow Campaigns: Uncovering Global Espionage

DNS OverDoS: Are Private Endpoints Too Private?

From Linear to Complex: An Upgrade in RansomHouse Encryption

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities Wit...

Cloud Discovery With AzureHound

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

The Golden Scale: Bling Libra and the Evolving Extortion Economy

Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...

Bookworm to Stately Taurus Using the Unit 42 Attribution Framework

Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trus...

Get the latest news, invites to events, and threat alerts

Get the latest news, invites to events, and threat alerts

Products and Services

Company

Popular Links