Unit 42 Uncovers 'Phantom Squatting': A New Supply Chain Threat Vector Exploiting LLM-Hallucinated Domains

Phantom Squatting: Attackers Weaponize AI-Hallucinated Domains in Novel Supply Chain Attacks

HIGH
July 1, 2026
19m read
Supply Chain AttackThreat IntelligenceMalware

Related Entities

Other

Montana Empire

Full Report

Executive Summary

Unit 42 has uncovered a novel and active software supply chain attack vector termed 'Phantom Squatting.' This threat leverages the tendency of Large Language Models (LLMs) to hallucinate non-existent web domains, which adversaries then register to intercept traffic and compromise users. Our research confirms that this is not a theoretical risk but an ongoing attack pattern observed in the wild. Attackers are weaponizing AI-generated misinformation to bypass traditional security measures that rely on historical reputation data. A key finding includes the discovery of a phishing kit named Montana Empire, which was deployed on a phantom domain predicted by our systems weeks in advance. With over 250,000 unregistered phantom domains discovered, the attack surface is vast and growing. This report details the phantom squatting lifecycle, assesses its impact on the software supply chain, and provides actionable recommendations for detection and mitigation.


Threat Overview

Phantom squatting represents a significant evolution in supply chain attacks, shifting the focus from traditional artifacts like tampered packages to the very fabric of AI-assisted development. As LLMs become integrated into developer workflows and CI/CD pipelines, they are treated as trusted sources of information. Developers and automated systems often accept LLM-generated output, including URLs for documentation, API endpoints, and service configurations, without verification.

This trust creates a critical vulnerability. When an LLM hallucinates a domain—for example, suggesting api.build-notifier.io for a CI/CD webhook—it may be entirely fictitious. An adversary who has proactively registered this domain can intercept sensitive data, such as build telemetry or secrets. The core of the threat lies in this 'zero-reputation bypass.' A phantom domain, at the moment of its weaponization, has no negative history, is not on any blocklist, and its content is newly generated, rendering conventional threat intelligence and reputation scoring ineffective. The LLM, in effect, becomes an unwitting accomplice, laundering the reputation of a malicious domain by presenting it as authoritative.


Technical Analysis

The phantom squatting attack lifecycle consists of four primary phases:

  1. Adversarial Hallucination Probing: Attackers systematically query LLMs with various prompts related to a target brand or its software. The goal is to map the 'hallucination surface'—the set of phantom domains the model is likely to generate.
  2. Preemptive Registration: Armed with a list of potential phantom domains, the adversary registers the most promising ones. The low cost and ease of registering generic top-level domains (gTLDs) make this highly scalable.
  3. Weaponization: The newly registered domain is configured with malicious content. This could be a phishing page mimicking a legitimate login portal, a server to intercept API calls and secrets, or a host for drive-by downloads.
  4. Interception: An unsuspecting developer or an automated CI/CD process queries an LLM. The LLM provides a link or endpoint pointing to the phantom domain. The user or system trusts the output and connects, triggering the attack.

This attack pattern leverages several MITRE ATT&CK techniques:


Impact Assessment

The impact of phantom squatting on an organization can be severe, extending deep into the software supply chain.

  • Credential and Secret Theft: Developers interacting with phantom domains may submit credentials to fake login portals. CI/CD pipelines could send API keys, tokens, and other secrets to adversary-controlled endpoints.
  • Malware Distribution: Phantom domains can be used to host malicious software dependencies, tampered binaries, or drive-by downloads, infecting developer machines and build environments.
  • Data Exfiltration: Intercepted build telemetry can expose sensitive information about an organization's internal infrastructure, source code, and development practices.
  • Reputation Damage: A successful attack originating from an organization's AI-assisted tools can erode trust among customers and partners.

The scale of the problem is significant. Unit 42's analysis of 913 global brands across two LLM models generated 2.1 million URLs, revealing over 13,229 confirmed malicious URLs and approximately 250,000 unregistered (and thus exploitable) phantom domains.


IOCs — Directly from Articles

The source article discusses the discovery of over 13,229 malicious URLs but does not provide a specific list of Indicators of Compromise (IOCs).


Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns, which could indicate related activity:

Type
Network Traffic
Value
Outbound connections from dev/CI-CD environments to domains with no reputation or an age of <30 days.
Description
Monitor for traffic to newly registered domains, especially those that mimic brand names or common developer services.
Type
DNS Logs
Value
Queries for domains that are syntactically similar to legitimate brand domains but are not officially registered.
Description
Proactive monitoring for DNS queries to potential phantom domains can provide early warning.
Type
Log Source
Value
CI/CD pipeline execution logs.
Description
Scrutinize logs for HTTP requests to unexpected or non-standard URLs, especially those recommended by integrated AI assistants.
Type
Process Activity
Value
Developer tools (curl, wget, git) making connections to unknown domains.
Description
Monitor command-line activity on developer endpoints for interactions with suspicious web infrastructure.

Detection & Response

Detecting and responding to phantom squatting requires a shift away from purely reputation-based defenses.

  • Proactive Domain Monitoring: Organizations should use tools to predict and monitor for the registration of likely phantom domains related to their brands. This allows for early warning before an attack is launched.
  • Network Traffic Analysis (D3-NTA): Implement strict egress filtering and anomaly detection for traffic originating from developer workstations and CI/CD runners. Baseline normal activity and alert on connections to new, uncategorized, or low-reputation domains.
  • URL Analysis (D3-UA): Employ advanced URL filtering solutions that can analyze domain age, registration data, and other metadata in real-time to block access to nascent malicious sites.
  • Developer Education: Train developers on the risks of LLM hallucinations and establish policies for verifying all externally sourced URLs and code snippets, regardless of their origin.
  • Incident Response Playbook: Develop a specific playbook for incidents involving potential phantom squatting, focusing on identifying the source of the malicious URL (i.e., which LLM prompt) and assessing the scope of potential data exposure.

Mitigation

Mitigating phantom squatting requires a multi-layered approach that combines proactive measures with robust technical controls.

  1. Defensive Domain Registration: Proactively identify and register likely phantom domains associated with your brand before adversaries can. This is the most effective way to neutralize the threat for a specific domain.
  2. Outbound Traffic Filtering (D3-OTF): Implement strict egress policies on developer endpoints and CI/CD systems. Use a default-deny posture, only allowing connections to a pre-approved list of domains and IP addresses.
  3. AI Security Posture Management (ASPM): Deploy solutions designed to secure the AI pipeline itself. These tools can act as an intermediary to vet LLM output, scan for malicious URLs, and enforce security policies before a developer or system consumes the AI-generated content.
  4. Harden the Development Environment: Use application allowlisting to restrict the tools and scripts that can run in build environments. This can prevent the execution of malware downloaded from a phantom domain.
  5. User Training (M1017): Conduct regular training sessions to make developers aware of this threat vector. Encourage a culture of skepticism and verification for all AI-generated content.

Timeline of Events

1
July 1, 2026
This article was published

MITRE ATT&CK Mitigations

Filter web traffic from developer and CI/CD environments, blocking access to newly registered or uncategorized domains that may be used for phantom squatting.

Mapped D3FEND Techniques:

Implement strict egress filtering for build servers and developer environments to prevent unauthorized outbound connections to adversary-controlled infrastructure.

Mapped D3FEND Techniques:

Educate developers about the risk of LLM hallucinations and instill a security-conscious practice of verifying all URLs and code snippets from AI assistants.

Audit

M1047enterprise

Maintain and monitor detailed logs of network connections, DNS queries, and process execution within the development lifecycle to detect anomalous activity.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

To counter phantom squatting, organizations must implement stringent outbound traffic filtering, especially for CI/CD pipelines and developer environments. The default policy should be 'deny all,' with an explicit allowlist for known-good destinations required for builds, package management, and API calls. For CI/CD runners, this allowlist should be dynamically configured based on the project's declared dependencies, minimizing the attack surface. For developer workstations, use a combination of proxy servers and endpoint agents to enforce policies. Configure alerting for any connection attempt that violates the policy, as this could indicate a developer has received a malicious URL from an LLM. This technique directly mitigates the 'Interception' phase of the phantom squatting attack by preventing the initial connection to the adversary's server, even if a developer trusts and clicks a malicious link.

Traditional URL blocklists are ineffective against phantom squatting's 'zero-reputation bypass.' Therefore, a dynamic URL analysis capability is critical. This should be deployed at the network edge, in web proxies, and via browser extensions for developers. The system must analyze URLs in real-time, considering factors beyond reputation. Key signals for detecting phantom domains include: domain age (block or flag domains registered within the last 30-60 days), registrar information, syntactic similarity to legitimate brand domains (detecting slopsquatting), and lack of historical DNS records. Integrating this with an AI Security Posture Management (ASPM) tool can allow for the proactive scanning of any URL generated by an LLM before it is presented to the user. This creates a crucial verification layer between the LLM and the developer, effectively identifying and neutralizing the malicious link before it can be trusted or clicked.

Since phantom squatting attacks begin with no reputation, behavioral detection through Network Traffic Analysis (NTA) is essential. Deploy NTA sensors to monitor traffic from developer subnets and CI/CD environments. Establish a baseline of normal network behavior, including typical destinations, protocols, and data volumes. Hunt for anomalies such as: connections to domains never seen before in the organization's traffic, DNS queries for domains with unusually high entropy or similarity to internal services, and unexpected data transfers from build agents to external endpoints. By focusing on deviations from the established baseline, NTA can detect the initial connection to a phantom domain and trigger an alert for investigation, providing a critical detection opportunity where reputation-based systems fail.

Sources & References

Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector
Unit 42 (unit42.paloaltonetworks.com) June 30, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Phantom SquattingLLMAI SecuritySupply Chain AttackHallucinationTyposquattingPhishingCI/CD Security

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.