Phantom squatting AI-hallucinated domain phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A phantom squatting campaign is turning AI-hallucinated domains into live phishing and malware lures, putting AI-referred traffic at immediate risk. Attackers are registering the fake domains before anyone else can and standing up phishing pages or malicious app traps on them. The operation is already active in the wild and spans brands and sectors including technology, finance, healthcare, government, and gambling. It shortens the defender response window by converting model output into a ready-made attack surface.
Related Happenings
Paid brand-impersonation phishing kits Lucid and Lighthouse scale fake-domain operations
Threat Actor Meta
H score37
First: 01.07.2026 10:20
Last: 01.07.2026 10:20
Sources 1
How related:
It also lands in a world where brand-impersonation phishing is now a paid service, with kits like Lucid and Lighthouse standing up 17,500 fake domains against 316 brands in 74 countries.
About this happening:
Brand-impersonation phishing has become a **paid service**, with kits like **Lucid** and **Lighthouse** scaling fake-domain operations across **316 brands** in **74 countries**, i...
Paid brand-impersonation phishing kits Lucid and Lighthouse scale fake-domain operations
Threat Actor MetaHow related: It also lands in a world where brand-impersonation phishing is now a paid service, with kits like Lucid and Lighthouse standing up 17,500 fake domains against 316 brands in 74 countries.
About this happening: Brand-impersonation phishing has become a **paid service**, with kits like **Lucid** and **Lighthouse** scaling fake-domain operations across **316 brands** in **74 countries**, i...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Vercel v0.dev phishing campaign using GenAI-built lure pages
Campaign
H score29
First: 07.05.2026 11:30
Last: 07.05.2026 11:30
Sources 1
About this happening:
A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Vercel v0.dev phishing campaign using GenAI-built lure pages
CampaignAbout this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware Activity
H score36
First: 12.12.2025 16:04
Last: 12.12.2025 16:04
Sources 1
About this happening:
**BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware ActivityAbout this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
Timeline
-
01.07.2026 10:20 1 articles · 1h ago
Unit 42 predicts a fake postal-service marketplace domain
Detection Ioc UpdateOn March 8, 2026, Unit 42's system predicted that AI models would invent a domain resembling a national postal service's online marketplace.
Show sources
- Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware — thehackernews.com — 01.07.2026 10:20
-
01.07.2026 10:20 1 articles · 1h ago
Attacker registers predicted domain and launches Montana Empire phishing kit
Exploitation ObservedOn March 31, 2026, an attacker registered that exact domain and stood up a phishing kit named Montana Empire.
Show sources
- Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware — thehackernews.com — 01.07.2026 10:20
-
01.07.2026 10:20 2 articles · 1h ago
Unit 42 details phantom squatting across AI-generated domains
Initial DisclosureOn July 1, 2026, Palo Alto Networks' Unit 42 published research showing that phantom squatting is already happening in the wild, based on testing across 685,339 questions about 913 well-known brands and finding 2.1 million links, including 13,229 malicious addresses and about 250,000 unowned domains.
Show sources
- Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware — thehackernews.com — 01.07.2026 10:20
- Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware — thehackernews.com — 01.07.2026 10:20