Full Report
Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way. Palo Alto Networks' Unit 42 calls the trick phantom squatting, and its new research shows it is already happening in the wild. The reason it matters is
Analysis Summary
# Technique: Phantom Squatting
## Overview
Phantom squatting is a cyberattack technique where threat actors identify and register domain names that Large Language Models (LLMs) "hallucinate" (invent) when responding to user queries. Because users often trust AI-generated output, they may click these links or use them in automated workflows. Attackers capitalize on this misplaced trust by hosting phishing kits or malware on these freshly registered, neutrally-reputed domains to steal credentials and financial data.
## Technical Details
- **Type:** Technique (Sub-type of Domain Squatting / Social Engineering)
- **Platform:** Web-based (Cross-platform), Android
- **Capabilities:** Credential harvesting, financial data theft, malware distribution, brand impersonation.
- **First Seen:** Identified as "in the wild" by Palo Alto Networks Unit 42 in research published July 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Reconnaissance]**
- [T1583.001 - Acquire Infrastructure: Domains]
- **[TA0007 - Discovery]**
- [T1589 - Gather Victim Identity Information] (Via phishing)
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Delivered via trusted AI tool)
- **[TA0005 - Defense Evasion]**
- [T1584.004 - Compromise Infrastructure: Server] (Use of new domains with no negative reputation)
## Functionality
### Core Capabilities
- **Predictive Registration:** Attackers use AI models to predict which fake domains the AI will likely suggest for specific high-value queries (e.g., postal services, banks).
- **Phishing Kit Hosting:** Deploys "pixel-perfect" brand clones to deceive users into entering PII, card numbers, and banking details.
- **Bypassing Reputation Filters:** By using brand-new domains that have not yet been flagged by threat intelligence feeds, attackers evade automated security blocks.
### Advanced Features
- **Real-time Interaction:** Use of phishing kits (e.g., "Montana Empire") that utilize Telegram bots to allow operators to manually approve or intercept One-Time Passcodes (OTP).
- **Automated Brand Cloning:** Use of AI coding assistants to rapidly build convincing storefronts and impersonation sites.
- **Malware Delivery:** Hosting malicious mobile applications (specifically Android) disguised as official brand utilities.
## Indicators of Compromise
*Note: Specific hashes were not provided in the source article, but the following indicators are associated with the campaign.*
- **Phishing Kit Names:** Montana Empire, Lucid, Lighthouse.
- **Network Indicators:**
- Hallucinated domains mimicking national postal services (UAE, Europe).
- Hallucinated domains mimicking major UAE and European banks.
- Hallucinated domains targeting sports-betting users (Bangladesh focus).
- **Behavioral Indicators:**
- Traffic originating from AI assistant redirect links.
- Presence of Telegram-based C2 communication for OTP interception.
## Associated Threat Actors
- **PhantomRaven** (Related campaign involving "slopsquatting" in npm packages).
- Unnamed actors using the **Montana Empire** phishing kit.
## Detection Methods
- **Proactive AI Auditing:** Security teams can "red team" LLMs by asking them the same questions as attackers to see which fake domains are generated, then defensively registering them.
- **Frequency Analysis:** Monitoring for domains that appear in LLM outputs but have very recent registration dates (e.g., registered within days of the LLM output).
- **Zero-Trust for Links:** Implementing security controls that treat all links—even those from internal AI agents—as untrusted until verified by a reputation engine.
## Mitigation Strategies
- **Governance:** Apply strict governance to AI agents, mapping every AI-initiated action to a human owner.
- **Verification:** Never treat LLM-generated URLs as authoritative; cross-reference them against official brand registries.
- **Developer Education:** Train developers and users on "slopsquatting" and "phantom squatting" to prevent the use of hallucinated software packages or web links.
- **Domain Monitoring:** Brands should use threat intelligence to monitor for new registrations that mirror predicted AI hallucinations.
## Related Tools/Techniques
- **Slopsquatting:** Registering non-existent software package names (npm, PyPI) suggested by AI coding assistants.
- **Typosquatting:** Registering domains with common misspellings of popular sites.
- **Living off the Land (LotL):** In this context, using the user's own trusted AI tools to deliver the malicious payload.