Unit 42
Coverage of Unit 42 in the Nexus archive.
- State-backed hackers hammer Palo Alto firewall zero-day before patch lands
State-backed hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls, tracked as CVE-2026-0300, to gain root access without login required. The flaw affects the Captive Portal feature in PAN-OS on PA-Series and VM-Series firewalls. Attacks are already underway, tied to a cluster of likely state-sponsored threat activity tracked as CL-STA-1132.
- BlackFile actively extorting data-theft victims in retail and hospitality sector
BlackFile, a cyber extortion group linked to The Com, is targeting retail and hospitality organizations via voice-phishing and social engineering to steal data and demand ransoms. The group, tracked under aliases like CL-CRI-1116 and Cordial Spider, uses SaaS environments and data-leak sites to pressure victims, with attacks ongoing since February 2025.