Phantom Squatting: AI-Driven Supply Chain Threat Emerges

Phantom Squatting: AI-Driven Supply Chain Threat Emerges

First seen 1 Jul 2026, 10:45 UTC GbhackersFeeds.4SysopsDarkreading 80% similarity 66.5
Share:

Article Content

Browse articles
ThreatCluster

Cybercriminals are exploiting a new attack vector called 'phantom squatting,' where large language models (LLMs) generate plausible but nonexistent domains for legitimate brands. These hallucinated domains are then preemptively registered by attackers to host phishing kits and malware. Research from Palo Alto Networks' Unit 42 revealed that 685,339 queries against 913 global brands produced approximately 250,000 unique phantom domains, with over 13,220 confirmed malicious URLs. The attack lifecycle involves four phases: Discover, Act, Lure, and Bypass. Notably, the Montana Empire case demonstrated how a hallucinated domain was flagged as high-risk before being registered by an attacker. This attack vector poses a significant threat as it exploits the trust placed in LLM outputs, which lack historical telemetry, making them difficult to detect. The current status indicates ongoing exploitation of this vector, with attackers rapidly registering domains after LLM outputs.

Key Points: • Phantom squatting involves registering AI-generated nonexistent domains for malicious use. • Unit 42's research identified 250,000 unique phantom domains from 685,339 queries. • Attackers can exploit the trust in LLM outputs, making detection challenging.

ThreatCluster AI

Timeline

2026-06-30
Unit 42 report published
Unit 42 released findings on phantom squatting, detailing the generation of 250,000 unique phantom domains from LLM queries.
Darkreading
2026-07-01
Montana Empire case flagged
A hallucinated postal-ecommerce domain was flagged as high-risk 23 days before an attacker registered it.
Gbhackers
2026-07-01
Phantom squatting attack lifecycle detailed
The attack lifecycle consists of four phases: Discover, Act, Lure, and Bypass, highlighting the systematic approach of attackers.
Gbhackers

Community

Browse all →