Unit 42 — Phantom Squatting: Attackers Weaponize AI-Hallucinated Domains for Phishing and Malware

AI relevance: LLMs hallucinate plausible but fictitious domains in code and documentation — autonomous AI agents that fetch those URLs without verification become a direct supply-chain entry point for attacker-controlled infrastructure.

What happened

  • Palo Alto Networks Unit 42 coined phantom squatting: adversaries pre-register domains that LLMs consistently hallucinate for legitimate brands, then deploy phishing kits and malware on them.
  • Researchers queried two LLM families across 913 global brands, executing 685,339 adversarial prompts that produced 2.1 million URLs.
  • The output normalized to roughly 250,000 unique phantom domains — hallucinated URLs pointing to NXD (non-existent domain) registrations that nobody owned… yet.
  • Of the generated URLs, 13,229 were confirmed malicious via threat intel and active crawling: 67.2% delivered malware, 16.2% served phishing kits.
  • One case study — dubbed Montana Empire — saw Unit 42 flag a hallucinated postal-ecommerce domain as high-risk 23 days before an attacker registered it and deployed a full phishing kit built with an AI coding assistant.
  • The phishing kit's source contained an AI coding-assistant project directory, a PHP backend that scraped storefronts, and Telegram-based C2 for credential exfiltration.
  • Another detection: a malicious Android APK served from a hallucinated postal-app domain, registered 51 days after Unit 42 added it to their watchlist.
  • The attack bypasses reputation-based defenses entirely — new phantom domains carry zero threat-intel history, no blocklist entries, and no reputation score at birth.

Why it matters

This is the domain-level analogue of slopsquatting (hallucinated npm/PyPI package names), but the blast radius is larger. An autonomous AI agent — whether a coding assistant, a CI/CD pipeline integration, or a research bot — that follows a hallucinated URL will fetch and execute attacker-controlled content without human intervention. The LLM functions as an unwitting supply-chain dependency: its internal statistical artifacts become a proactive adversary playbook.

The zero-reputation bypass is the structural problem. Traditional URL filtering, DNS security, and threat feeds all require a domain to accumulate telemetry before they flag it. Phantom domains are born clean because they emerge from the same language patterns that make LLM output seem authoritative.

What to do

  • Treat LLM-generated URLs as untrusted third-party artifacts. Any URL produced by a model should go through the same verification you'd apply to a link from an unknown Slack message.
  • Enumerate your hallucination surface. Run your brand name and key service names through multiple LLMs at varied temperatures; monitor registration feeds for the resulting phantom domains.
  • Enforce egress controls on AI agents. CI/CD pipelines and autonomous agents should operate against an allowlisted set of domains, not arbitrary URLs from model output.
  • Add URL verification to agentic workflows. Before an agent fetches a resource, validate the domain against known-good registries and check for recent registration dates (a strong phantom-squatting signal).

Sources