Cyber Security

Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Major language models often establish web addresses that do not exist. Attackers have started buying up those domains before anyone else can, and then hosting phishing pages on them to capture traffic that AI tools point their way.

Palo Alto Networks’ Unit 42 calls the trick phantom squattingand its new research shows that it already occurs in the wild.

The main reason is trust. Developers and AI assistants are increasingly treating links as models as real. If a model creates a domain that doesn’t exist yet, whoever registers it first gains all that undeserved trust, with no phishing email and no malicious advertising required.

To measure the problem, Unit 42 asked two AI models 685,339 questions about 913 well-known brands across technology, finance, health, government, gambling, and other sectors.

The models generated 2.1 million links. Threat scientists have already marked 13,229 of them as malicious, which means the AI ​​was pulling out known bad addresses. About 250,000 fake domains were currently unowned, each with a perfect target for whoever registers it first.

How phantom squatting works

The attack works because the new domain has no reputation. Block lists, threat feeds, and reputation effects all require a site to misbehave for a while before flagging it.

A newly registered phantom domain has no such record, so those filters have nothing to flag. By the time they catch, the victim has already been sent to the site with a tool they trust.

Two details make it worse. The false domains were not in the training data: both models were sent before the real malicious sites existed, so the addresses came from the language patterns of the models, not from memory. And those patterns are consistent.

Different models often establish the same pseudo-domain for the same query, making it easier to guess the attacker’s next target. Creating “artistic” settings for the model only produces more artificial domains. As the Unit 42 researchers put it, the vector “exploits the structure of LLM structures that remain unfixable in nature.”

Two cases are considered

Two cases show a full loop. On March 8, 2026, the Unit 42 program predicted that AI models would establish a domain similar to the online marketplace of the national postal service. Both models performed at all temperature settings, which is a strong indication that they are treating the fake site as genuine.

Twenty-three days later, on March 31, the attacker registered that same domain and got up with a phishing kit called Montana Empire. The kit copied the original store front in real time. It stole card numbers, bank transfer details and national identity data.

The Telegram bot allows operators to manually enable one-time passcodes for victims. Giveaway: leftover project files and session logs showed a hacker who built a kit with an AI coding assistant. The attacker and defender accessed the same fake domain in the same way, by querying the AI.

In the second case, Unit 42 marked the domain with warts a full 51 days before the attacker registered it. The attacker then wrapped it in a pixel-perfect brand clone, added a fake 4.8 star rating and a claim of over 2 million users, and used it to push a malicious Android app.

Other sites found included a major UAE bank that the attacker had been exploiting for a year, a European bank, and sports betting sites targeting Bangladeshi users.

An old trick with a new target

Phantom squatting is the domain version of slopsquattingwhere attackers register fake software package names created by AI coding tools. That is not an idea.

A large study of USENIX found code generation models that often implied missing package names, and the PhantomRaven campaign turned that behavior into malware hidden in 126 npm packages with more than 86,000 installations.

It points to a major change: the output of the model becomes the input. Engineers, agents, and security teams make links to AI-generated names before anyone can verify them, and AI keeps reducing the time defenders have to react.

It also comes in a world where phishing is now a paid service, with the likes of Lucid and Lighthouse stopping 17,500 fake domains against 316 brands in 74 countries.

What to do

Because the models appear to be static, security teams can map out which fake domains the model is likely to generate and watch anyone sign up, often with weeks of warning. For everyone, the practical steps are simple:

  • Don’t trust a link just because an AI gave it to you. Make sure the domain is a real, legitimate one before you type the password or paste it into the code.
  • Keep AI agents from automatically opening or downloading model-generated links without a check. An agent does not have a sense of doubt in the way that a human would.
  • Treat anything the model writes as an unconfirmed draft, not an authority.

That window is open, and it rewards whoever moves first. The real question, since Unit 42 is independent, is whether defenders or attackers get to these sites quickly.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button