Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers document a 282% increase in Kubernetes-related threat actor operations over the past year, with the IT sector accounting for 78% of observed activity. Two real-world case studies are analyzed: a North Korean Slow Pisces (Lazarus) intrusion at a cryptocurrency exchange involving stolen Kubernetes service account tokens used to pivot into financial infrastructure, and exploitation of CVE-2025-55182 (React2Shell), a critical React Server Components deserialization vulnerability that gave attackers code execution inside Kubernetes pods within two days of public disclosure. Both attacks follow a common pattern: gain initial access via misconfiguration or vulnerability, steal mounted service account tokens, then escalate privileges across the cluster and into cloud services. The post maps attack behaviors to MITRE ATT&CK techniques (T1190, T1528) and covers post-exploitation tooling including Peirates, TeamPCP, and VoidLink. Defensive recommendations include enforcing least-privilege RBAC, using short-lived projected service account tokens, enabling Kubernetes audit logging, and deploying runtime workload monitoring.

Understanding Current Threats to Kubernetes Environments

Practical Kubernetes Configurations for Security Teams