Palo Alto Networks Unit 42 published research on June 30, 2026 documenting a novel and structurally difficult-to-fix attack vector: phantom squatting. By exploiting the tendency of large language models to hallucinate plausible-but-non-existent domain names and package identifiers, attackers are pre-registering predicted phantom assets before defenders even know they exist — then weaponizing them weeks later.
What Is Phantom Squatting?
Traditional typosquatting relies on human error: a user accidentally types micosoft.com instead of microsoft.com. Phantom squatting is different. It exploits a structural property of LLM architectures — the tendency to generate statistically plausible text rather than factually accurate text.
When you ask an LLM about a brand, a software package, or a security tool, it doesn't retrieve information from a database. It generates a statistically likely-sounding answer. That means it regularly invents domains, package names, and URLs that don't exist — but sound like they should.
Phantom squatting is the practice of identifying which hallucinated names models consistently produce, then registering them as real domains or packages before the real organization does.
Unit 42's Research: The Scale Is Alarming
Unit 42 conducted a systematic study of this phenomenon:
- They queried two AI models 685,339 times about 913 well-known brands
- The models produced 2.1 million links in response
- 13,229 of those links were already flagged as malicious
- Approximately 250,000 invented domains had no registrant — ready to be claimed
What makes this particularly dangerous is consistency: different models often hallucinate the same fake domain for the same prompt. This predictability turns phantom squatting from opportunistic to systematic. An attacker doesn't need to guess — they can query the model themselves, identify consistently hallucinated domains, and register them in bulk.
A Real-World Case: The Montana Empire Kit
Unit 42 didn't just theorize about this threat — they documented a live exploitation in March 2026.
Researchers predicted that a specific AI model would consistently hallucinate a domain resembling a real postal service marketplace. They noted it as a candidate for phantom squatting.
23 days after the prediction, an attacker registered the hallucinated domain and deployed the Montana Empire phishing kit on it. The kit:
- Scraped the real postal service storefront in real time to display genuine product listings
- Captured card numbers, bank transfer details, and national IDs entered by victims
- Used a Telegram bot for real-time OTP interception and approval
- Was partially built with an AI coding assistant (confirmed via session logs)
The victim saw a convincing replica of a real storefront. The domain was newly registered with no threat reputation. Blocklists had no history on it. Standard defenses saw nothing.
Related: Slopsquatting in Package Ecosystems
Phantom squatting has a direct analog in software supply chain security: slopsquatting (also called package hallucination). AI coding assistants regularly suggest import statements for packages that don't exist but sound plausible given the task. Attackers monitor these hallucinated package names and publish malicious versions to npm, PyPI, and other repositories under those names.
The PhantomRaven campaign (documented in parallel research) demonstrates the scale of this threat:
- 126 malicious npm packages were registered using hallucinated package names
- Those packages accumulated 86,000+ installs before detection
- Developers trusted the installs because their AI assistant had recommended the package
Why This Threat Is Structurally Hard to Fix
Unit 42 describes phantom squatting as exploiting "a structural property of LLM architectures that remains inherently unpatchable." LLMs generate statistically plausible text — that's what makes them useful. Eliminating hallucinations entirely would require a fundamentally different architecture. Until then:
- Models will keep inventing domain names
- Different users querying the same model get the same hallucinated names
- Attackers can predict which names to register by querying the model themselves
There's no patch, no model update, and no content filter that eliminates this vector.
Defensive Opportunities
Despite the structural challenge, defenders have actionable options — because hallucination consistency is a double-edged sword:
Pre-map hallucinated domains: Organizations can systematically query LLMs about their own brand names and products, identify consistently hallucinated variants, and pre-register or monitor them before attackers do. Unit 42's methodology offers several weeks of lead time in many cases.
Monitor newly registered domains: Phantom squatted domains are newly registered with no history. DNSTWIST, Palo Alto's PDNS, and commercial threat feeds can alert on registrations matching brand patterns — catching weaponization early.
Audit AI-generated code imports: Any package name suggested by an AI coding assistant should be verified against the actual registry before installation. Tools like socket.dev can flag newly published packages matching hallucination patterns.
Developer education: Treat AI-suggested package names as unverified until confirmed against a canonical source. "The AI told me to import it" is not sufficient validation.
Privileged workflow isolation: Agentic AI workflows with no human-in-the-loop are especially vulnerable — an AI agent that browses hallucinated URLs or installs hallucinated packages can compromise an entire pipeline without a human ever noticing.
Phantom squatting is a reminder that AI systems don't just introduce new capabilities — they introduce new attack surfaces. Every place an LLM generates a domain name, a package name, or a URL is a potential phantom squatting opportunity. The organizations that map that surface proactively are the ones who won't be caught off guard by the next Montana Empire.