Recent Unit 42 research from Palo Alto Networks shows a clear pattern: attackers are not relying on one trick. They are combining social engineering, legitimate cloud tools, signed software, delayed execution, token abuse, and stealthy malware loading to make intrusions harder to notice.
Across four recent reports, Unit 42 covered Gremlin Stealer, TamperedChef-style malware, ROADtools abuse in cloud attacks, and Screening Serpens, an Iran-nexus APT group. Different names, different targets, different tooling, but the lesson is the same: modern attacks increasingly blend into normal activity.
A fake productivity app looks useful. A cloud enumeration tool looks like legitimate API traffic. A job interview lure looks personal and believable. An infostealer hides its real payload until runtime. That is what defenders are dealing with now.
1. Infostealers are becoming more than password grabbers
Gremlin Stealer is a good example of how commodity-style malware keeps evolving. Unit 42 describes newer Gremlin variants that target browser cookies, session tokens, cryptocurrency wallet data, clipboard contents, payment data, and FTP or VPN credentials. The malware is not just collecting saved passwords. It is going after the material that keeps people logged in and lets attackers bypass normal login barriers.
One of the more important details is how Gremlin hides itself. The newer version stores malicious content inside the .NET resource section and decodes what it needs at runtime. That makes static analysis less useful because the suspicious strings, logic, and payload material are not sitting in plain view. Unit 42 also notes the use of packing, obfuscation, identifier renaming, and staged loading.
The educational point here is simple: a modern infostealer should not be treated as a low-level nuisance. If it steals session tokens or browser data, the attacker may not need the victim's password again. If it monitors the clipboard for cryptocurrency addresses, it can interfere with transactions directly. If it talks to a running browser process, it may be trying to get around protections that were designed to secure stored cookies.
For defenders, the strongest signals are often behavioral. Watch for unusual browser profile access, suspicious clipboard monitoring, unexpected compression of user data, strange outbound uploads, and packed .NET binaries with encoded resources. Hashes and domains age quickly. Behavior lasts longer.
2. Fake productivity software is becoming a serious delivery channel
The TamperedChef research is a reminder that malware does not always arrive as an obvious attachment or exploit. Sometimes it arrives as a polished PDF editor, calendar tool, ZIP utility, screen recorder, or converter. Unit 42 describes TamperedChef-style malware as trojanized productivity software distributed through malicious ads and convincing download pages. The apps may even work well enough to seem legitimate.
That is what makes this category dangerous. The user thinks they installed a useful tool. The security team may see a signed application. The software may sit quietly for weeks or months before becoming active. Unit 42 says these campaigns use persistence, command-and-control capability, and second-stage payload delivery, including stealers, proxy tools, and remote access Trojans.
Another key point from the report is scale. Unit 42 tracked several clusters of TamperedChef-style activity beginning in 2024 and identified more than 4,000 samples across 100 unique variants. That matters because it shows this is not a one-off campaign. It is a repeatable distribution model.
The lesson for users is to be careful with sponsored search results and "free" utility downloads. The lesson for defenders is to stop treating signed software as automatically safe. Code signing can help establish publisher identity, but it does not prove intent. Security teams should pay attention to new scheduled tasks, registry Run keys, unusual startup behavior, delayed network activity, and productivity apps that begin downloading additional components after installation.
3. Cloud attacks increasingly target identity, not just endpoints
The ROADtools report is about a different kind of threat. ROADtools is an open-source Python framework used for Azure and Microsoft Entra ID research, red teaming, and defense. Unit 42 explains that attackers have also adopted it for real intrusions because it can enumerate Entra ID, register devices, and acquire or manipulate Microsoft Entra ID tokens.
This is not malware in the traditional sense. ROADtools can interact with legitimate Microsoft APIs and can mimic normal-looking cloud traffic. That makes it useful for attackers who already have credentials, tokens, or some foothold in a tenant. Once inside, they can map users, groups, roles, devices, service principals, applications, and directory configurations.
This is where many organizations are still weak. They may have endpoint detection, email security, and firewall logs, but not enough visibility into identity behavior. A stolen token can be more valuable than a stolen password. A newly registered rogue device can become a persistence method. Bulk Graph API enumeration can reveal privilege paths without dropping a traditional payload.
The defensive mindset has to change. Security teams need to monitor identity events with the same seriousness they apply to malware alerts. That means watching for unusual device registration, abnormal token refresh activity, scripted user agents, suspicious Microsoft Graph enumeration, unexpected service principal activity, and sign-ins that do not match the user's normal pattern.
4. Targeted espionage still depends heavily on social engineering
Screening Serpens shows the more targeted side of the threat landscape. Unit 42 describes Screening Serpens as an Iran-nexus APT group also tracked as UNC1549, Smoke Sandstorm, and Iranian Dream Job. The group has been active since at least 2022 and has recently targeted entities in the U.S., Israel, the UAE, and likely other Middle Eastern organizations.
The group's recent campaigns used tailored recruitment lures and impersonated trusted brands or hiring platforms. This is not random spam. It is personal, believable, and aimed at professionals in sectors such as technology, aerospace, defense manufacturing, and telecommunications.
Unit 42 identified six new RAT variants deployed between February and April 2026, grouped into MiniUpdate and MiniJunk V2. Both families build on the actor's established use of targeted spear phishing and DLL sideloading. The most notable technical evolution is AppDomainManager hijacking, which abuses the .NET application startup process to weaken security-relevant behavior before the malicious code runs.
This is a useful reminder that advanced attackers do not always start with an advanced exploit. They often start with trust. A job opportunity. A fake assessment. A meeting invite. A branded portal. Once the victim runs the file, the technical chain begins.
For defenders, the important sequence is recruitment lure, archive or installer execution, DLL sideloading, suspicious .NET configuration behavior, scheduled-task persistence, and RAT activity. Catching any one step helps, but catching the chain is better.
The bigger pattern across all four reports
The four reports cover different threats, but they point to the same direction.
Attackers are hiding inside normal things:
| Normal-looking thing | How it gets abused |
|---|---|
| Browser sessions | Stolen cookies and tokens can bypass login prompts |
| Productivity software | Fake apps deliver delayed payloads |
| Code signing | Signed binaries create false trust |
| Microsoft APIs | Cloud activity blends into legitimate admin traffic |
| Device registration | Rogue devices can support persistence |
| Job interviews | Personalized lures convince victims to run malware |
| .NET configuration | Legitimate runtime behavior can be abused for stealth |
| Clipboard activity | Crypto transactions can be silently redirected |
The common thread is not one malware family or one actor. It is the move away from obvious malicious behavior. The attacker wants the action to look ordinary until it is too late.
What organizations should take from this
The strongest defense is not a single product or one set of indicators. It is layered visibility.
Endpoint teams should watch for sideloading, suspicious child processes, packed binaries, unusual persistence, and local data collection. Identity teams should monitor token behavior, device registration, privilege changes, and Graph API enumeration. Network teams should care about delayed outbound activity and odd upload patterns. Security awareness teams should teach users that malicious software can come from ads, fake tools, and realistic job conversations, not just suspicious email attachments.
A practical defensive checklist:
| Area | What to improve |
|---|---|
| Software downloads | Block or warn on unknown productivity tools from ads and unofficial sites |
| Browser data | Detect unusual access to browser profiles, cookies, wallets, and session stores |
| Identity security | Monitor token use, device joins, OAuth permissions, and risky sign-ins |
| Cloud logs | Centralize Entra ID, Graph, audit, and sign-in telemetry |
| Persistence | Alert on new scheduled tasks and Run keys created by recent downloads |
| DLL sideloading | Detect trusted binaries loading unexpected local libraries |
| .NET abuse | Hunt for unusual AppDomainManager or runtime configuration behavior |
| User training | Teach staff to verify recruiters, meeting tools, and software downloads |
| Incident response | Revoke sessions and tokens, not just reset passwords |
Final thought
The most useful takeaway from these Palo Alto Unit 42 reports is that defenders need to think in chains, not isolated alerts.
Gremlin Stealer shows how infostealers are getting better at hiding and stealing live identity material. TamperedChef shows how fake but functional apps can turn advertising pipelines into malware delivery systems. ROADtools shows how legitimate cloud tooling can be abused once attackers reach the identity layer. Screening Serpens shows that targeted social engineering remains one of the most reliable ways into high-value environments.
Sources
- Unit 42, "Screening Serpens" — https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
- Unit 42, "ROADtools Cloud Attacks" — https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/
- Unit 42, "TamperedChef Clusters" — https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
- Unit 42, "Gremlin Stealer Evolution" — https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/