Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting governmental entities in Southeast Asia. The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes.

Malware

Threat Actor Groups

AWS

backdoor

C2

CL-STA-1020

DLL Sideloading

Dropbox

Google Drive

Microsoft

Jul 14, 2025

By Lior Rochberger

Cybercrime, Threat Actor Groups, GoLang, Initial Access Broker, Microsoft, web server, web shells

GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Rev...

Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabi...

Jul 08, 2025

By Tom Marsden, Chema Garcia

Cybercrime, Hacktivism, High Profile Threats, Malware, Threat Actor Groups, Threat Research, Agent Serpens, Agonizing Serpens, Boggy Serpens, Curious Serpens

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30)

The recent conflict involving Iran, particularly its militar...

Jun 25, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, AWS, Google Cloud, Microsoft Azure, serverless

Serverless Tokens in the Cloud: Exploitation and Detections

Jun 13, 2025

By Zohar Zigdon

Cloud Cybersecurity Research, Malware, Threat Research, endpoint, Linux Malware, Machine Learning, PowerShell, Remote Access Trojan, VBScript, Winnti

The Evolution of Linux Binaries in Targeted Cloud Operations

On January 31, a security researcher named Mohammad Faghani posted an analysis of malware...

Jun 10, 2025

By Nathaniel Quist, Bill Batchelor

Cloud Cybersecurity Research, DNS, Threat Research, endpoint, Microsoft Azure

Lost in Resolution: Azure OpenAI's DNS Resolution Issue

In late 2024, Unit 42 researchers discovered an issue with Azure OpenAI’s Domain Name System (DNS) resolution logic that could have enabled cross-tenant data leaks and meddler-in-t...

Jun 03, 2025

By David Orlovsky

High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, app-ID, BlackCat ransomware, MITRE, Muddled Libra, phishing

Threat Group Assessment: Muddled Libra (Updated May 16, 2025)

We’ve added an additional section to this article that describes the evolution of Muddled...

May 16, 2025

By Kristopher Russo, Austin Dever, Amer Elsad

Business Email Compromise, Cybercrime, Ransomware, Threat Actor Groups, Threat Research, Trend Reports, AI, Akira ransomware, BianLian, Bitter Scorpius

Extortion and Ransomware Trends January-March 2025

This article examines obfuscation techniques used in popular malware families, and offers...

Apr 23, 2025

By Unit 42

Cybercrime, Malware, Threat Actor Groups, Cryptocurrency, DPRK, GitHub, Infostealer, JavaScript Malware, Slow Pisces, social engineering

Slow Pisces Targets Developers With Coding Challenges and Introduces New Cu...

Recently, we discovered several new malware samples with unique characteristics that made...

Apr 14, 2025

By Prashil Pattni

Cloud Cybersecurity Research, Threat Research, IAM, JSON

OH-MY-DC: OIDC Misconfigurations in CI/CD

Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this resea...

Apr 04, 2025

By Aviad Hahami

Cloud Cybersecurity Research, Threat Research, API attacks, Containers, IAM, serverless

Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on ...

The attacks against cloud-hosted infrastructure are increasing, and the proof is in the analysis of security alert trends. Recent research reveals tha...

Mar 27, 2025

By Nathaniel Quist

Cloud Cybersecurity Research, High Profile Threats, GitHub, supply chain

GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded ...

Update April 2: Recent investigations have revealed preliminary steps in the tj-actions and reviewdog compromise that were not known until now. We hav...

Mar 20, 2025

By Omer Gil, Aviad Hahami, Asi Greenholts, Yaron Avital

Business Email Compromise, Cloud Cybersecurity Research, Threat Research, Amazon Simple Email Service, AWS, IAM, JavaGhost, phishing

JavaGhost’s Persistent Phishing Attacks From the Cloud

Unit 42 researchers have observed phishing activity that we track as TGR-UNK-0011. We assess with high confidence that t...

Feb 28, 2025

By Margaret Kelley

Malware, Threat Actor Groups, Bookworm, DLL Sideloading, Stately Taurus, ToneShell

Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

This article reviews nine vulnerabilities we recently discovered in two utilities called cuobjdump and nvdisasm, both from NVIDIA's Compute Unified De...

Feb 20, 2025

By Robert Falcone