Security Notes

Palo Alto Networks has world-renowned experts supporting threat research efforts across the company. The completely in-house team focuses on quickly identifying, analyzing, and creating protections for attacks as they emerge—building and enhancing the automated prevention enforced through our Security Operating Platform.

The team is comprised of:

  • Threat engineers, conducting research into all facets of the threat landscape and building our cloud delivered security services.

  • Vulnerability research, identifying new threats (including proactive research into critical zero-day vulnerabilities), and building signatures to prevent exploitation.

  • Global Security Response team, assessing new threats and ensuring the efficacy of our protections across the platform.

  • Unit 42 team, researching the latest cyber attacks and sharing the results freely with the entire community.

  • Endpoint and behavioral analytics threat researchers



  • Oleksii Starov, Yuchen Zhou, Jun Wang, "Detecting Malicious Campaigns in Obfuscated JavaScript with Scalable Behavioral Analysis", In Proceedings of the 4th International Workshop on Traffic Measurements for Cybersecurity (WTMC), 2019. [REF]

  • Idan Amit, John Matherly, William Hewlett, Zhi Xu, Yinnon Meshi and Yigal Weinberger, "Machine Learning in Cyber-Security - Problems, Challenges and Data Sets", to be published in The AAAI-19 Workshop on Engineering Dependable and Secure Machine Learning Systems, 2019. [REF]


  • Oleksii Starov, Yuchen Zhou, Xiao Zhang, Najmeh Miramirkhani, and Nick Nikiforakis, "Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics", in World Wild Web (WWW'18), 2018. [PDF] [REF] [BLOG] [TALK]

  • Michael Weber, Jun Wang, and Yuchen Zhou, "Unsupervised Clustering for Identification of Malicious Domain Campaigns", In RESEC'18 Proceedings of the First Workshop on Radical and Experiential Security, 2018. [PDF] [REF]

  • Cong Zheng, and Heqing Huang, "Daemon-Guard: Towards Preventing Privilege Abuse Attacks in Android Native Daemons", In RESEC'18 Proceedings of the First Workshop on Radical and Experiential Security, 2018. [PDF] [REF]

  • Xiao Zhang, and Zhi Xu, "On the Feasibility of Automatic Malware Family Signature Generation", In RESEC'18 Proceedings of the First Workshop on Radical and Experiential Security, 2018. [PDF] [REF]

  • Cong Zheng, Tongbo Luo, Zhi Xu, Wenjun Hu, and Xin Ouyang, "Android Plugin Becomes a Catastrophe to Android Ecosystem", In RESEC'18 Proceedings of the First Workshop on Radical and Experiential Security, 2018. [PDF] [REF]

  • Valerio Costamagna, Cong Zheng, and Heqing Huang, "Identifying and Evading Android Sandbox Through Usage-Profile Based Fingerprints", In RESEC'18 Proceedings of the First Workshop on Radical and Experiential Security, 2018. [PDF] [REF]

  • Tao Zhang, Wenjun Hu, Xiapu Luo, and Xiaobo Ma, "A Commit Messages-Based Bug Localization for Android Applications", In International Journal of Software Engineering and Knowledge Engineering, 2018.


  • Zhi Wang, Meiqi Tian, Xiao Zhang, Junnan Wang, Zheli Liu, Chunfu Jia, and Ilsun You, "A Hybrid Learning System to Mitigate Botnet Concept Drift Attacks", in Journal of Internet Technology, vol. 18, no. 6 , pp. 1419-1428, Nov. 2017. [PDF] [REF]

  • Yang Hu, John CS Lui, Wenjun Hu, Xiaobo Ma, Jianfeng Li, and Xiao Liang, "Taming Energy Cost of Disk Encryption Software on Data-intensive Mobile Devices", In Future Generation Computer Systems, 2017. [REF]


  • Wenjun Hu, Xiaobo Ma, and Xiapu Luo, "Protecting Android Apps Against Reverse Engineering", In Chapter 7, Book: Protecting Mobile Networks and Devices: Challenges and Solutions, 2016. [REF]



  • Tongbo Luo and Zhaoyan Xu, "Cloud-Native Sandboxes for Microservices: Understanding New Threats and Attacks", in BlackHat Europe'18, 2018. [REF] [TALK]

  • Kyle Wilhoit, "False Flag Foibles: Imitating Nation State Actors and Criminals to Befuddle Media and Researchers", in BlueHat'18, 2018. [REF]

  • Tao Yan and Bo Qu, "PWN Flash with Reflection and HashTables", in Recon Montreal, 2018. [REF] [PDF]

  • Bo Qu, Hui Gao, and Hui Gao, "PDF JS引擎交互式Fuzzing", in KCon'18, 2018 [PDF]

  • Arpita Biswas, "Firmware Security 101", in BSidesLV'18, Las Vegas, 2018. [TALK]


  • Zhaoyan Xu, Tongbo Luo, Wei Xu, Kyle Sanders, and Xin Ouyang, "Say hi to malware - using a deep learning method to understand malicious traffic", In VB2017 (Virus Bulletin), 2017. [PDF] [REF]

  • Claud Xiao, "The Underground Economy of Apple ID", in BSidesSF'17, San Francisco, 2017. [PDF] [TALK]

  • Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, and Xin Ouyang, "IoTCandyJar: Towards an Intelligent-Interaction Honeypot for IoT Devices", in BlackHat'17, 2017. [PDF] [TALK]

  • Tongbo Luo, Cong Zheng, Zhi Xu, and Xin Ouyang, "anti-plugin: don't let your app play as an android plugin", in BlackHat Asia'17, 2017. [PDF]

  • Tom Lancaster, "Level up with Maltego", EUCOM Joint Cyber Center, October 2017. [TALK]

  • Tom Lancaster, "Unpicking Threats in Iran", at a NATO event in April 2017. [TALK]


  • Claud Xiao, "Fruit vs Zombies: Defeat Non-jailbroken iOS Malware", in SHAKACON'16, 2016. [PDF] [REF] [BLOG] [TALK]
  • Claud Xiao, "Who’s Breaking into Your Garden? iOS and OS X Malware You May or May Not Know", in BSidesSF'16, San Francisco, 2016. [PDF] [TALK]

  • Tongbo Luo and Xing Jin, "Next Generation Of Exploit Kit Detection By Building Simulated Obfuscators", in BlackHat'16, 2016. [PDF] [TALK]

  • Zhi Xu, Tongbo Luo, and Cong Zheng, "Beware! Zombies are Coming", in VB2016 (Virus Bulletin), 2016. [REF]

  • Zhaoyan Xu, Jun Wang, Yucheng Zhou, Wei Xu, and Kyle Sanders, "“$ echo Internet $>_...”: Towards Practical Internet-wide Probing and Crawling", in VB2016 (Virus Bulletin), 2016. [REF]


  • Tao Yan and Bo Qu, "Inside Flash: Flash Exploit Detection Uncovered", in HitCon'15, 2015. [REF]


  • Bo Qu and Royce Lu, "The Power of Pair: One Template that Reveals 100+ UAF IE Vulnerabilities", in BlackHat Europe'14, 2014 [PDF] [TALK]

  • Bo Qu, "The failure and success in IE fuzzing", in BlueHat'14, 2014

  • Bo Qu, Royce Lu, and Tao Yan, "(More) Advanced defense for IE", in POC'14, Power Of Community, 2014 [PDF]

  • Claud Xiao, "Insecure Internal Storage in Android", in HITCON'14, Taipei, 2014. [PDF]

  • Zhaoyan Xu, Wei Xu, and Kyle Sanders, "How malware eats cookies - an empirical study of cookies in malware's communication", in VB2014 (Virus Bulletin), 2014 [REF]

Data sets

We would be happy to contribute data sets to the security research community. More info


  • Yanhui Jia, Rongbo Shao, Yi Ren, Matt Tennis, Xin Ouyang, John Harrison, Jens Egger, Ashwin Dewan, "DNS-based data exfiltration and infiltration technology and detection", 2019.2.8 [PDF]

  • Zhaoyan Xu, Yanhui Jia, Bo Qu, Xin Ouyang, "Tracing Vulnerability CVE-2018-1002105 on Kubernetes", 2018.12.14 [PDF]

  • Bo Qu, "Internet Explorer Fuzzing" [Talk slide to be added]

  • Bo Qu, "Fuzzing For Fun" [Talk slide to be added]

[Latest Unit 42 Blogs]


  • Josh Grunzweig and Kyle Wilhoit , "The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia", Thursday, November 29, 2018 [URL]

  • Tao Yan, Xingyu Jin, Bo Qu and Zhanglin He , "New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit", Wednesday, November 21, 2018 [URL]

  • Robert Falcone and Kyle Wilhoit , "Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery", Friday, November 16, 2018 [URL]

  • Michael Weber, Jiangtao Yin, Jun Wang, Yuchen Zhou, Wei Xu and John Harrison , "Detecting Malicious Campaigns with Machine Learning", Friday, October 12, 2018 [URL]

  • Claud Xiao, Cong Zheng,  Xingyu Jin , "Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows", Monday, September 17, 2018 [URL]

  • Kyle Wilhoit; Robert Falcone , "OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government", Wednesday, September 12, 2018 [URL]

  • Ruchna Nigam , "Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall", Sunday, September 9, 2018 [URL]

  • Dominik Reichel, Esmid Idrizovic , "Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware", Thursday, September 6, 2018 [URL]

  • Bo Qu, Tao Yan, Rongbo Shao, Zhanglin He , "Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7", Wednesday, September 5, 2018 [URL]

  • Robert Falcone, Bryan Lee. Riley Porter , "OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE", Tuesday, September 4, 2018 [URL]

  • Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit , "The Gorgon Group: Slithering Between Nation State and Cybercrime", Thursday, August 2, 2018 [URL]

  • Yue Chen, Wenjun Hu, Xiao Zhang, Zhi Xu , "Hidden Devil in the Development Life Cycle: Google Play Apps Infected with Windows Executable Files", Monday, July 30, 2018 [URL]

  •  Robert Falcone, Bryan Lee, Tom Lancaster , "New Threat Actor Group DarkHydrus Targets Middle East Government", Friday, July 27, 2018 [URL]

  • Ruchna Nigam , "Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns", Friday, July 20, 2018 [URL]

  •  Jin Chen , "Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)", Monday, July 16, 2018 [URL]

  • Brittany Ash, Josh Grunzweig, Tom Lancaster , "RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families", Tuesday, June 26, 2018 [URL]

  • Tao Yan, Bo Qu, Zhanglin He, "The Old and New: Current Trends in Web-based Threats", Wednesday, June 20, 2018 [URL]

  • Tao Yan, Bo Qu, Zhanglin He, "Phishing in a Nutshell: January – March 2018", Monday, June 18, 2018 [URL]

  • Yanhui Jia, Matt Tennis, Yi Ren, Rongbo Shao , "Exploit in the Wild: #drupalgeddon2 – Analysis of CVE-2018-7600", Tuesday, May 1, 2018 [URL]

  • Alex Hinchliffe, Mike Harbison, Jen Miller-Osborn, Tom Lancaster , "HenBox: Inside the Coop", Thursday, April 26, 2018 [URL]

  • Josh Grunzweig, Brandon Levene, Kyle Wilhoit, Pat Litke , "SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle", Tuesday, April 17, 2018 [URL]

  • Ruchna Nigam , "Reaper Group’s Updated Mobile Arsenal", Thursday, April 5, 2018 [URL]

  • Ruchna Nigam, Kyle Wilhoit , "TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users", Tuesday, March 20, 2018 [URL]

  • Alex Hinchliffe, Mike Harbison, Jen Miller-Osborn, Tom Lancaster , "HenBox: The Chickens Come Home to Roost", Tuesday, March 13, 2018 [URL]

  • Brandon Levene, Josh Grunzweig, Brittany Ash , "Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent", Wednesday, March 7, 2018 [URL]

  • Brandon Levene; Josh Grunzweig , "Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency", Monday, March 5, 2018 [URL]

  • Jeff White, "Dissecting Hancitor’s Latest 2018 Packer", Tuesday, February 27, 2018 [URL]

  • Jeff White, "PowerStager Analysis", Friday, January 12, 2018 [URL]

  • Cong Zheng, Claud Xiao, Yanhui Jia , "IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability", Thursday, January 11, 2018 [URL]


  • Dominik Reichel, "Abusing the Service Control Manager to Establish Persistence for Non-Service Applications", Monday, December 18, 2017 [URL]

  • Yanhui Jia, Taojie Wang; Zhibin Zhang , "Analysis of CVE-2017-11882 Exploit in the Wild", Friday, December 8, 2017 [URL]

  • Anthony Kasza, Juan Cortes; Micah Yates , "Operation Blockbuster Goes Mobile", Monday, November 20, 2017 [URL]

  • Tom Lancaster, "Muddying the Water: Targeted Attacks in the Middle East", Tuesday, November 14, 2017 [URL]

  • Jacob Soo; Josh Grunzweig , "Recent InPage Exploits Lead to Multiple Malware Families", Thursday, November 2, 2017 [URL]

  • Brandon Levene, Brandon Young; Dominik Reichel , "Everybody Gets One: QtBot Used to Distribute Trickbot and Locky", Wednesday, November 1, 2017 [URL]

  • Yuchen Zhou, Wei Xu, Jun Wang and Wayne Xin , "Unauthorized Coin Mining in the Browser", Tuesday, October 17, 2017 [URL]

  • Juan Cortes and Esmid Idrizovic , "FreeMilk: A Highly Targeted Spear Phishing Campaign", Thursday, October 5, 2017 [URL]

  • Jeff White, "Analyzing the Various Layers of AgentTesla’s Packing", Monday, September 25, 2017 [URL]

  • Ryan Salsamendi , "Palo Alto Networks Discovers New QEMU Vulnerability", Thursday, September 14, 2017 [URL]

  • Richard Wartell , "LabyREnth CTF 2017: Check Out the Prizes", Friday, September 8, 2017 [URL]

  • Cong Zheng, Wenjun Hu, Xiao Zhang and Zhi Xu , "Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions", Thursday, September 7, 2017 [URL]

  • Dominik Reichel , "Analysing a 10-Year-Old SNOWBALL", Wednesday, September 6, 2017 [URL]

  • Jeff White, "The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure", Tuesday, August 15, 2017 [URL]

  • Anthony Kasza , "The Blockbuster Saga Continues", Monday, August 14, 2017 [URL]

  •  Richard Wartell, Tyler Halfpop and Jeff White , "LabyREnth CTF 2017 Winners!", Thursday, August 3, 2017 [URL]

  • Tomer Bar and Simon Conant, "Prince of Persia – Ride the Lightning: Infy returns as “Foudre”", Tuesday, August 1, 2017 [URL]

  • Richard Wartell , "LabyREnth CTF 2017 Final Week: Beat the Maze!", Tuesday, July 18, 2017 [URL]

  • Wenjun Hu, Cong Zheng and Zhi Xu , "SpyDealer: Android Trojan Spying on More Than 40 Apps", Thursday, July 6, 2017 [URL]

  • Samantha Pierre, Richard Wartell, Tyler Halfpop and Jeff White , "VIDEO: Tips, Tricks, and Clues to Escape the LabyREnth CTF", Sunday, June 18, 2017 [URL]

  • Erye Hernandez and Danny Tsechansky , "The New and Improved macOS Backdoor from OceanLotus", Thursday, June 22, 2017 [URL]

  • Richard Wartell and Tyler Halfpop , "LabyREnth CTF 2017 Launch Day: The Challenge Starts Now!", Friday, June 9, 2017 [URL]

  • Richard Wartell , "LabyREnth CTF 2017: One Week Countdown", Friday, June 2, 2017 [URL]

  • Tao Yan , "A Dissection of the “EsteemAudit” Windows Remote Desktop Exploit", Wednesday, May 31, 2017 [URL]

  • Richard Wartell and Tyler Halfpop , "LabyREnth Teaser Site", Thursday, May 11, 2017 [URL]

  • Claud Xiao, Cong Zheng and Yanhui Jia , "New IoT/Linux Malware Targets DVRs, Forms Botnet", Thursday, April 6, 2017 [URL]

  • Cong Zheng, Wenjun Hu and Zhi Xu , "A New Trend in Android Adware: Abusing Android Plugin Frameworks", Wednesday, March 22, 2017 [URL]

  • Xiao Zhang, Wenjun Hu and Shawn Jin , "Google Play Apps Infected with Malicious IFrames", Wednesday, March 1, 2017 [URL]

2014 ~ 2016

Please check [Unit 42 Archives]

Developer Sites


Copyright © 2023 Palo Alto Networks, Inc. All rights reserved.