Unit 42: "Phantom Squatting" — registering AI-hallucinated domains to poison LLM-driven URL delivery [SINGLE-SOURCE]
From CTI Daily Brief — 2026-07-01 · published 2026-07-01 · view item permalink →
Palo Alto Networks Unit 42 described phantom squatting, a supply-chain attack class in which adversaries systematically probe production LLMs to learn which non-existent brand/vendor domains a model hallucinates when asked for URLs, then pre-register those specific domains before defenders or brand owners react (Unit 42, 2026-07-01). When later users — or autonomous AI agents performing tool-use/browsing — ask the same or a similarly-trained model for a link, they are handed an authoritative-sounding recommendation pointing at attacker-controlled infrastructure, bypassing traditional phishing-link delivery entirely. The core evasion is a zero-reputation bypass: a domain registered specifically to match a predicted hallucination has no threat-intel history, blocklist entry or reputation score at first weaponized use, defeating reputation-age-based URL/DNS filtering. Unit 42 cites a concrete case — a "Montana Empire" postal-service phishing kit that went live 23 days after Unit 42 first observed an LLM hallucinating that domain. Distinct from package-name "slopsquatting": this is domain-level and targets both humans and agent browsing. Defender takeaway: log and diff every URL an LLM surfaces against a verified canonical-domain allowlist before it reaches a user or an agent's browsing tool, and treat "brand-adjacent, recently-registered, high-similarity domain" as a standalone signal independent of reputation score. [SINGLE-SOURCE] — vendor research, no independent corroboration in-window.