TempMail Ninja
//

Phantom Squatting: How AI Hallucinations Enable New Cyberattacks

7 min read
TempMail Ninja
Phantom Squatting: How AI Hallucinations Enable New Cyberattacks

In the rapidly transforming cyber threat landscape, security researchers have witnessed the birth of a highly sophisticated new attack vector that flips traditional digital trust models on their head. On June 30, 2026, Palo Alto Networks’ Unit 42 released a seminal threat intelligence report exposing Phantom Squatting, a modern threat paradigm where cybercriminals weaponize the natural, predictable domain hallucinations of Large Language Models (LLMs). Rather than waiting for a human user to mistype a URL, threat actors are now preemptively registering nonexistent domains that AI models regularly invent when prompted for official resources, developer APIs, or software packages.

This represents a fundamental security shift. Historically, defensive security relied heavily on the assumption that malicious intent originated from active outbound campaigns, such as spear-phishing emails, malvertising, or black-hat search engine optimization. Phantom Squatting removes the adversary from the initial delivery phase entirely. Instead, the victim’s own trusted AI assistant—whether it is a developer co-pilot, a corporate chatbot, or an autonomous AI agent—actively directs the user to an attacker-controlled, malicious landing page. Because LLMs have become deeply integrated into software development pipelines and everyday business workflows, this vulnerability represents an immediate threat to modern software supply chains and enterprise data integrity.

Understanding Phantom Squatting: The Anatomy of an AI Hallucination

To grasp the mechanics of Phantom Squatting, one must first understand why LLMs hallucinate URLs in the first place. LLMs are autoregressive token predictors; they generate text by estimating the mathematical probability of the next word (or token) based on patterns learned during their training phase. They do not possess an active database of “real” versus “fake” websites, nor do they natively verify internet connectivity before suggesting a link. When prompted to provide an official download link, a specific package documentation URL, or a corporate portal address, the model’s primary objective is to output a plausible-looking response.

Because official brand URLs often follow predictable structural formulas (such as api.brandname.com or brandname-support.com), the LLM naturally generates these exact syntax combinations. However, if the brand has never registered that specific subdomain or variation of its name, the LLM has effectively created a “phantom” domain. This hallucination process is not random. Due to the deterministic nature of token probability distributions, different LLM architectures frequently converge on the exact same nonexistent URLs when presented with identical queries. The attack sequence unfolds systematically:

  • Target Identification: Attackers query various LLMs with highly structured prompts regarding targeted brands, developer libraries, or service APIs.
  • Hallucination Harvesting: The threat actors extract the hallucinated, nonexistent domains from the LLM responses.
  • Preemptive Registration: The adversaries programmatically register these available domains before the brand or any defensive entity notices the gap.
  • Infrastructure Deployment: Malicious actors stand up phishing kits, fake package repositories, or malware delivery infrastructure on these newly acquired domains.
  • Passive Ingestion: Unwitting developers, employees, or autonomous CI/CD agents ask the LLM for assistance, receive the hallucinated link, and navigate straight into the attacker’s infrastructure.

The Structural Collapse of Traditional Security Controls

What makes Phantom Squatting exceptionally dangerous is its complete immunity to legacy security perimeters. Traditional network security, secure email gateways, and DNS firewalls are heavily dependent on historical telemetry and reputation-based filtering. The defensive calculus assumes that before a domain is blocked, it must first “misbehave”—meaning it must be detected in a spam campaign, associated with known malware command-and-control (C2) servers, or flagged by early-warning threat feeds.

When an attacker utilizes Phantom Squatting, they exploit a clean slate. A newly registered phantom domain is born “clean,” meaning it has zero history, no bad reputation, and has never appeared on a blocklist. Traditional reputation scoring models will categorize it as a neutral, newly registered domain (NRD) at worst, which many standard enterprise policies allow. By the time threat feeds synchronize and flag the domain as malicious, the developer has already pulled a contaminated package, or the executive has already input corporate credentials into a highly convincing replica portal. The attack bypasses social engineering controls entirely; the user does not need to be coerced into clicking a link because their highly trusted AI companion recommended it.

Quantifying the Crisis: Unit 42’s Empirical Findings

The scale of this threat is not merely theoretical. To evaluate the actual attack surface, Unit 42 researchers conducted a massive empirical study targeting the world’s most prominent organizations. The sheer volume of the data compiled illustrates how aggressively threat actors are beginning to leverage this vector:

  • Comprehensive Target Profiling: Researchers analyzed 913 global brands spanning critical sectors, including technology, finance, healthcare, e-commerce, logistics, and government.
  • Mass-Scale Querying: The team executed 685,339 precise URL queries across multiple configurations and temperature settings of two distinct, major LLM families.
  • Explosive Output Volume: The queries yielded an astonishing 2.1 million unique generated URLs.
  • Active Weaponization: Over 13,229 of the hallucinated URLs were found to be actively registered by malicious actors and hosting active threats, such as phishing kits and malware loaders.
  • Unexploded Ordnance: Crucially, the researchers identified approximately 250,000 unregistered hallucinated domains. These remain completely exposed, serving as a massive, low-cost inventory for cybercriminals to acquire and exploit.

Furthermore, the research demonstrated that turning up an LLM’s “creativity” setting (its temperature parameter) significantly increases the output of hallucinated domains, creating an even larger surface area of highly plausible, yet completely fictitious, web addresses.

Case Study in the Wild: The ‘Montana Empire’ Phishing Campaign

A remarkable real-world incident documented by Unit 42 provides definitive proof of how quickly adversaries can close the gap from LLM hallucination to active exploitation. On March 8, 2026, Unit 42’s predictive threat pipeline, which continuously monitors LLM outputs for high-risk hallucinations, flagged a specific fictitious domain designed to mimic a national postal service’s online marketplace. The domain was generated consistently across both tested AI models and at every temperature setting—indicating a near-certainty that users would eventually be served this exact link.

Exactly 23 days later, an attacker registered that precise domain. The bad actor did not merely buy the domain; they utilized an AI coding assistant to programmatically build a fully functional, highly evasive phishing kit dubbed “Montana Empire”. This kit was specifically tailored to steal citizen credentials and payment data under the guise of the national postal service. The convergence of AI-assisted attack generation (building the phishing kit) and LLM-driven attack delivery (the hallucinated domain recommendation) represents the first fully documented lifecycle of a closed-loop AI threat. It proves that adversaries are actively monitoring the same AI outputs that corporate employees use daily, buying up the virtual real estate beforehand.

Software Supply Chain Disruption: From Slopsquatting to Phantom Squatting

While the immediate threat of Phantom Squatting revolves around corporate credential harvesting and phishing, its long-term impact on the software supply chain is far more insidious. This vector represents an evolution of “slopsquatting”—a term previously coined to describe when AI coding assistants hallucinate non-existent software package names (like those on npm, PyPI, or NuGet).

With slopsquatting, developers are tricked into installing fictitious packages that attackers have preemptively uploaded to public registries. With Phantom Squatting, the risk moves deeper into infrastructure. Modern engineering organizations are rapidly deploying autonomous AI agents directly within Continuous Integration and Continuous Delivery (CI/CD) pipelines to automate coding, research API endpoints, fetch dependencies, and write deployment scripts. If an autonomous agent relies on a hallucinated domain to pull a CDN resource, download an external library, or configure an API webhook, the threat actor controlling that domain can inject malicious payloads directly into the build environment. Because the agent executes these processes programmatically, there is no human-in-the-loop to double-check the legitimacy of the URL, creating an open backdoor directly into production software.

Defending the Enterprise: A Proactive Blueprint for CISOs

In the era of agentic AI and hallucinating models, reactive cybersecurity is dead. Protecting an enterprise from Phantom Squatting demands a shift toward predictive, AI-aware defense systems. Security leaders must implement a multi-layered mitigation framework to close this emerging gap:

  • Proactive Hallucination Monitoring: Organizations must actively query the LLMs they deploy internally to discover what domain variations are being generated in relation to their own brand names. By preemptively buying up these hallucinated domains, brands can secure their digital perimeter before attackers do.
  • AI-Aware Domain Filtering: Traditional DNS controls must be augmented with predictive URL filtering. Modern tools, such as Advanced URL Filtering and Advanced DNS Security, can dynamically intercept newly registered domains that correlate with known LLM hallucination patterns.
  • Strict CI/CD Egress Controls: Enterprises must implement rigorous egress filtering within development and build pipelines. Allowing build environments to freely fetch resources from unverified, newly registered domains is highly risky. Pip and npm configurations should be strictly locked down, utilizing private registries and strict allowlists.
  • Agentic Endpoint Security: As autonomous AI agents take actions on local machines and servers, agentic endpoint protection tools (like Palo Alto’s Koi Agentic Endpoint Security) must monitor agent behavior to ensure they are not autonomously executing commands or downloading assets from untrusted, hallucinated domains.
  • Comprehensive LLM Guardrails: Implement robust security middleware (such as Prisma AIRS) to inspect outbound prompts and inbound LLM completions. These guardrails
TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.