Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector
Unit 42 researchers identified 'phantom squatting,' a novel supply chain attack vector where adversaries register web domains that LLMs consistently hallucinate for legitimate brands. By proactively mapping LLM hallucination patterns across 913 brands and 2.1 million generated URLs, researchers identified 13,229 confirmed malicious URLs and ~250,000 unregistered phantom domains. Real-world cases — including the Montana Empire phishing kit built with an AI coding assistant — demonstrate that adversaries independently converge on the same hallucinated domains, with detection lead times of 18–51 days. The threat exploits a structural, unpatchable property of LLM architectures and bypasses reputation-based defenses through zero-reputation newly registered domains.
- domainpttvm[.]comDomain used for the Montana Empire phishing campaign — hosted the phishing kit ZIP, admin panel (mentalite.php), and C2 components including panel_track.php and verify_api.php; visible in screenshot of the Montana Empire admin panel
- sha2562202a30daad9928ef47cca5f4ab04ce083692a94428e386fa01c2dd44557e34bSHA256 hash of a malicious Android APK (12.6 MB) delivered via a fraudulent mobile app landing page impersonating a national postal delivery service
- sha256eb07edaa2786cfddfa4c15526168f2200d85300aee0a8f253b32d2462a7b0bcdSHA256 hash of the Montana Empire phishing kit ZIP archive — contains full brand clone of a national postal service e-commerce marketplace with PHP backend, real-time storefront scraper, credential capture layer, and Telegram-based C2 operator control panel
- urlhxxp://pttvm[.]com/letgovip[.]zipAdditional ZIP archive hosted on the Montana Empire phishing infrastructure alongside the main phishing kit
- urlhxxp://pttvm[.]com/mentalite[.]phpMontana Empire phishing kit admin panel login page — displays 'MONTANA EMPIRE MANAGEMENT' branding with Turkish text 'Kimseye Güvenme' (Trust No One); used for operator access to victim OTP approvals and credential relays
- urlhxxp://pttvm[.]com/panel_track[.]phpTracking component of the Montana Empire phishing kit — part of the C2 operator control panel for victim management
- urlhxxp://pttvm[.]com/verify_api[.]phpAPI verification endpoint of the Montana Empire phishing kit — part of the credential interception and relay infrastructure
Detection / Hunteropenrouter
What Happened
Researchers discovered that AI language models (like the ones powering AI coding assistants and chatbots) frequently make up fake website addresses that sound real when asked about well-known brands. Attackers can figure out which fake addresses the AI will suggest and then register those domains before anyone else, creating fake websites that intercept traffic, steal credentials, or deliver malware. Because these domains are brand new, traditional security tools like URL blocklists don't recognize them as dangerous yet. The researchers found over 13,000 already-malicious URLs being recommended by AI models and about 250,000 fake domains that haven't been registered yet but could be at any time. In one real case, an attacker even used an AI coding assistant to build a phishing kit targeting a domain the researchers had predicted 23 days earlier. Organizations using AI tools in their development pipelines or autonomous AI agents should verify any web addresses AI systems generate, monitor domain registrations proactively, and ensure their security tools can detect newly registered domains serving suspicious content.
Key Takeaways
- LLMs consistently hallucinate fictitious web domains for legitimate brands; adversaries can preemptively register these 'phantom domains' to intercept traffic generated by AI systems, exploiting a zero-reputation bypass against traditional URL filtering and threat intelligence.
- Unit 42 analyzed 913 global brands across 685,339 prompts and two LLM architectures, generating 2.1 million URLs — 13,229 were confirmed malicious and approximately 250,000 unregistered phantom domains represent future attack surface.
- The Montana Empire phishing kit case demonstrates a full closed-loop AI supply chain attack: an adversary used an AI coding assistant to build a phishing kit targeting a phantom domain predicted by the research pipeline 23 days earlier.
- Adversarial Exploitation Window (AEW) — the time between initial hallucination detection and adversary registration — ranged from 18 to 51 days, providing defenders actionable lead time if they proactively map hallucination surfaces.
- Autonomous AI agents are the highest-consequence target: an agent that fetches a hallucinated URL and processes its response could exfiltrate secrets or propagate compromised dependencies without any human decision point.
Affected Systems
- Large Language Models (LLMs) used as coding assistants or autonomous agents
- Enterprise CI/CD pipelines integrating AI assistants
- Autonomous AI agent workflows performing web fetching, API calls, and resource downloads
- Android mobile devices (targeted via malicious APK delivery)
- Software supply chain dependencies relying on LLM-generated URLs
Attack Chain
An adversary probes LLMs using realistic prompts to map hallucination patterns for target brands, identifying fictitious domains the models consistently generate (Discover). The adversary then preemptively registers high-value phantom domains — sometimes staging server-side infrastructure before registration — exploiting negligible cost and near-instantaneous registration for generic TLDs (Act). When users or autonomous AI agents query the LLM, it recommends the hallucinated URL as an authoritative endpoint, directing victims to attacker-controlled infrastructure without traditional phishing lures (Lure). The newly registered domain carries zero threat intelligence history, no reputation score, and no blocklist entries, bypassing conventional URL defenses; attackers maintain evasion through redirect cloaking and CAPTCHA-protected infrastructure (Bypass). In the Montana Empire case, the attacker also used an AI coding assistant to build the phishing kit itself, closing the loop between AI-assisted attack development and AI-driven attack delivery.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Palo Alto Networks Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Prisma AIRS, Koi Agentic Endpoint Security
No open detection rules (YARA, Sigma, Snort/Suricata, KQL, SPL, EQL) are provided in the article. Palo Alto Networks products (Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Prisma AIRS, Koi Agentic Endpoint Security) have been updated with indicators from this research. Full unredacted IOCs are available on request from Unit 42.
Detection Engineering Assessment
EDR Visibility: Medium — EDR would detect the malicious APK file hash and the ZIP archive hash if they are on disk, and could flag suspicious process behavior from the phishing kit's PHP backend or Telegram C2 communication. However, the core phantom squatting vector — an LLM generating a hallucinated URL that a user or agent visits — occurs at the network/application layer and may not produce EDR-visible signals unless the downloaded artifact is executed. Network Visibility: High — Network monitoring can detect DNS resolution of newly registered phantom domains, HTTP requests to suspicious URLs generated by LLMs, and C2 communication patterns (e.g., Telegram API calls from phishing kit infrastructure). DNS logging and proxy logs would capture the initial redirect to attacker-controlled domains. Detection Difficulty: Hard — The zero-reputation bypass means traditional reputation-based defenses have no signal at the time of weaponization. Proactive detection requires mapping LLM hallucination surfaces — a capability most organizations lack. Reactive detection depends on content analysis of newly registered domains, which requires active crawling and ML-based classification. The redirect cloaking and CAPTCHA protections further complicate automated content analysis.
Required Log Sources
- DNS resolution logs (for newly registered domain detection)
- Web proxy logs (for URL access patterns from AI agents or developer tools)
- EDR process and file creation logs (for downloaded APK/ZIP artifacts)
- WHOIS registration event streams (for proactive phantom domain monitoring)
- LLM interaction logs (for auditing URLs generated by AI coding assistants)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for DNS queries to newly registered domains (within 0-7 days of registration) originating from developer workstations or CI/CD pipeline servers, especially where the domain name resembles a known brand's naming patterns but is not in the brand's legitimate domain portfolio. | DNS logs, passive DNS, WHOIS registration feeds, web proxy logs | Initial Access / Delivery | Medium — legitimate new domains from brand acquisitions, product launches, or defensive registrations by the brand itself would trigger false positives. Cross-referencing with known brand domain portfolios can reduce noise. |
| If you have visibility into LLM interaction logs from AI coding assistants, consider hunting for generated URLs that resolve to NXD or newly registered domains, particularly those containing brand names with atypical TLDs or subdomain patterns. | LLM prompt/response logs, AI assistant audit logs, DNS resolution logs | Reconnaissance / Discovery | Low to Medium — LLMs generate many URLs; filtering for NXD responses and cross-referencing with domain registration data narrows the scope to actionable signals. |
| Consider hunting for web requests to PHP endpoints on newly registered domains that exhibit patterns consistent with phishing kit infrastructure (e.g., mentalite.php, panel_track.php, verify_api.php), particularly when combined with Telegram API calls from the same server. | Web proxy logs, network flow logs, IDS signatures for known phishing kit patterns | Command and Control / Exfiltration | Low — the combination of specific PHP endpoint names, new domain registration, and Telegram API calls from the same host is highly specific to phishing kit C2 infrastructure. |
| Consider hunting for Android APK downloads from non-marketplace sources, especially domains impersonating postal services, banks, or e-commerce platforms with recently registered WHOIS records. | EDR file download events, web proxy logs, DNS logs | Execution / Persistence | Low — sideloading APKs from non-marketplace sources is unusual in enterprise environments, particularly from newly registered domains. |
| If you have autonomous AI agents in your environment, consider hunting for HTTP requests initiated by agent processes to domains that were registered within the past 30 days, as these may represent phantom squatting exploitation of agent workflows. | Process network connection logs, DNS logs, agent execution logs | Initial Access / Execution | Medium — legitimate agent workflows may access new APIs or services; correlation with domain registration age and brand similarity scoring is needed to reduce false positives. |
Control Gaps
- Reputation-based URL filtering and threat intelligence feeds provide no coverage for zero-reputation newly registered phantom domains at the time of weaponization
- Traditional phishing detection relying on email lures misses phantom squatting entirely, as the delivery vector is the LLM's own output rather than a phishing email
- Standard package integrity checks and dependency auditing tools do not cover URL-level hallucinations embedded in code or documentation
- Lack of LLM output auditing — most organizations do not log or validate URLs generated by AI coding assistants or autonomous agents
- WHOIS-based proactive domain monitoring is not typically integrated into SOC workflows for brand-adjacent domain registration alerts
Key Behavioral Indicators
- DNS queries to domains registered within 0-7 days that closely resemble legitimate brand domain patterns but are not in the brand's known domain portfolio
- HTTP requests from AI agent or coding assistant processes to newly registered domains or NXD responses
- PHP endpoint patterns on suspicious domains consistent with phishing kit infrastructure (e.g., panel_track.php, verify_api.php, mentalite.php)
- Telegram API calls originating from web server infrastructure (indicating Telegram-based C2 for credential exfiltration)
- APK file downloads from non-marketplace URLs on newly registered domains impersonating postal services or financial institutions
- AI coding assistant project directories found within phishing kit archives (indicating AI-assisted attack development)
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified IOCs (SHA256 hashes, domain pttvm.com, and associated URLs) on your endpoint, network, and DNS security controls if applicable.
- If your organization uses AI coding assistants or autonomous AI agents, consider auditing recent LLM-generated URLs in development pipelines and agent logs for domains that resolve to NXD or newly registered infrastructure.
- Evaluate whether your DNS security solution supports newly registered domain (NRD) filtering; if so, consider enabling alerts for NRD access from developer workstations and CI/CD pipeline servers.
- Consider requesting the full unredacted IOC list from Unit 42 if your organization is a customer or has an existing relationship.
Infrastructure Hardening
- Consider implementing proactive phantom domain monitoring by querying your organization's LLM deployments for hallucinated brand-adjacent domains and enrolling them in a domain registration watchlist.
- If supported by your web proxy or secure web gateway, consider enforcing content analysis and re-routing for HTTP requests to domains registered within the past 7-14 days, especially those matching brand naming patterns.
- Evaluate whether your CI/CD pipelines can integrate a URL validation step that checks LLM-recommended endpoints against domain reputation and registration age before they are committed to production code.
- Consider implementing network segmentation to restrict autonomous AI agent web access to allowlisted domains where feasible, reducing the risk of phantom domain exploitation.
User Protection
- Consider deploying endpoint controls that flag or block APK downloads from non-marketplace sources, particularly from newly registered domains.
- If your organization provides AI coding assistants to developers, consider implementing output validation that cross-references generated URLs against domain registration data and threat intelligence before presenting them to users.
- Evaluate whether your mobile device management (MDM) policy can restrict sideloading of Android applications from untrusted sources.
Security Awareness
- Consider incorporating phantom squatting awareness into existing developer security training, emphasizing that URLs generated by AI coding assistants should be independently verified before integration into code or documentation.
- If your organization runs security awareness programs, consider adding guidance for employees who use AI chatbots or agents: treat AI-recommended web addresses with the same skepticism as links in unsolicited emails.
- Consider briefing development teams on the Montana Empire case study as a concrete example of how AI-assisted attack development and AI-driven attack delivery form a closed-loop threat.
- Where applicable, consider establishing a process for developers to report suspicious AI-generated URLs to the security team for analysis.
MITRE ATT&CK Mapping
- T1583.001 - Acquire Infrastructure: Domains
- T1566.002 - Phishing: Spearphishing Link
- T1204.002 - User Execution: Malicious File
- T1105 - Ingress Tool Transfer
- T1071.001 - Application Layer Protocol: Web Protocols
- T1584 - Compromise Infrastructure
- T1059.004 - Command and Scripting Interpreter: Unix Shell
Additional IOCs
- File Paths:
[redacted]post.apk- Malicious Android application package filename delivered via fraudulent postal service landing page at [redacted]post-app[.]com[redacted].zip- Filename of the Montana Empire phishing kit ZIP archive as hosted on the phishing domain; brand name redacted in source article
- Other:
[redacted]post-app[.]com- Phantom domain used to deliver malicious Android APK impersonating a national postal delivery service; AEW of 51 days; domain partially redacted in source article[redacted]-login[.]com- Phantom domain targeting an online sports betting operator in Bangladesh; credential-harvesting clone with Bengali-language content; AEW of 45 days; domain partially redacted[redacted]-es[.]org- Phantom domain targeting a competing sports betting operator; registered in coordinated 18-minute window with [redacted]-login[.]com by same actor; AEW of 40 days; domain partially redacted[redacted]business[.]com- Phantom domain targeting a major UAE commercial bank; corporate IT credential harvester using fraudulent branding; negative AEW of -11 months (historical validation of structurally inevitable hallucination); domain partially redacted[redacted]empresas[.]com- Phantom domain targeting a regional European retail bank; re-registration event detected; AEW of 35 days; domain partially redacted