Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page.
This isn’t merely an illusion. It’s the next frontier of web attacks where attackers use generative AI (GenAI) to build a threat that’s loaded after the victim has already visited a seemingly innocuous webpage. In other words, this article demonstrates a novel attack technique where a seemingly benign webpage uses client-side API calls to trusted large language model (LLM) services for generating malicious JavaScript dynamically in real time.
Read more…
Source: Palo Alto Unit 42
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Data of 72 million Under Armour customers appears on the dark web
January 22, 2026
When reports first emerged in November 2025 that sportswear giant Under Armour had been hit by the Everest ransomware group, the story sounded depressingly familiar: a big brand, a huge trove of data, and a lot of unanswered questions. Since then, the narrative around what actually happened has split into two competing versions—cautious corporate statements on ...
- The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time
January 22, 2026
Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. This isn’t merely an illusion. It’s the next frontier of web attacks where attackers use generative AI (GenAI) to build a threat that’s loaded after the victim has already visited ...
- Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware
January 22, 2026
In late December 2025, EmEditor, a highly extensible and widely used text, code, and CSV editor developed by U.S.-based Emurasoft, published a security advisory warning users that its download page had been compromised. The attackers’ objective was to distribute a compromised version of the program to unsuspecting users. EmEditor has longstanding recognition within Japanese developer communities ...
- A new LinkedIn phishing scam is targeting executives online
January 21, 2026
Business executives and IT admins are being targeted by a highly sophisticated phishing attack which doesn’t happen in the email inbox but rather – on LinkedIn. Security researchers ReliaQuest said they saw a new attack that combines legitimate Python pentesting projects, DLL sideloading, and fake job ads, to infect “high-value targets” with remote access trojans ...
- Peruvian Peaks: The digital loan illusion
January 21, 2026
Crossing the Andes, we found ourselves in the digital valleys of Peru, where a new variation of the loan scam awaited us. Much like the schemes in Brazil, these operations played on hope and desperation, luring victims with promises of financial relief. The setup was so convincing that it seemed like help was just within ...
- From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
January 19, 2026
On December 8, 2025, Koi.ai published their findings about a campaign specifically targeting software developers through weaponized Visual Studio Code extensions. Here, Trend Micro will provide a more in-depth analysis of the multistage delivery of the Evelyn information stealer. Evelyn implements multiple anti-analysis techniques to evade detection in research and sandbox environments. It collects system information ...