Severity rationale: The threat is actively exploited in the wild, bypasses traditional reputation-based defenses, and targets the critical software supply chain via trusted AI tools.
Phantom Squatting: Exploiting AI-Hallucinated Domains in the Supply Chain
A new attack vector called 'Phantom Squatting' exploits the tendency of AI models to hallucinate plausible web domains. Attackers register these non-existent domains to intercept traffic from developers and autonomous AI agents who trust the model's output. Real-world cases confirm this is an active threat, with attackers using AI to build phishing kits targeting these predicted hallucinations.
Key Facts
- Exploitation
- Exploited in the wild
- Affected versions
- Models using LLM-generated URLs or domains in autonomous agents, AI-assisted coding environments
Summary
Researchers have identified a new supply chain attack vector termed "Phantom Squatting," where adversaries register and weaponize domain names that Large Language Models (LLMs) consistently hallucinate. This technique allows attackers to intercept traffic from AI-driven agents, developers using AI coding assistants, and automated CI/CD pipelines that trust LLM-generated URLs. Unit 42 has confirmed that this vector is already being exploited in the wild, with one example involving a phishing kit predated by the researchers' hallucination predictions.
What happened
Research into 913 global brands revealed that LLMs frequently suggest plausible but non-existent web domains for APIs, documentation, and corporate portals. Across over 685,000 queries, researchers found 13,229 confirmed malicious URLs already registered and 250,000 "phantom domains" that remain unregistered but are predicted to be hallucinated by AI.
The attack follows a four-stage lifecycle:
- Discover: Adversaries probe LLMs to map "hallucination surfaces"—domains the AI suggests for specific brands.
- Act: Attackers preemptively register these domains.
- Lure: Users or AI agents, trusting the LLM output, navigate to the malicious domain.
- Bypass: Traditional reputation-based security filters often fail because these domains are "born clean" with no prior history or bad reputation.
Why it matters
This shifts the software supply chain attack surface from predictable artifacts (like library dependencies) to the LLM's internal vocabulary. Because these domains are generated by the AI's own patterns, they appear legitimate to both human developers and autonomous agents. The researchers noted that they could predict domain registrations 18–51 days before an adversary actually registered them, highlighting a significant window of vulnerability.
Affected systems
- AI Coding Assistants: Tools that suggest API endpoints or documentation links.
- Agentic AI / Autonomous Agents: Systems that perform web research and execute HTTP requests based on LLM-generated URLs.
- CI/CD Pipelines: Automated workflows that integrate AI-recommended third-party service endpoints.
- Enterprise Branding: Organizations whose brand names may be used in hallucinated administrative or API domains (e.g.,
api.targetbrand-dev.com).
Recommended actions
Defenders should treat LLM outputs as untrusted data, specifically when those outputs involve network infrastructure. Hardening should focus on verifying every link suggested by an AI tool before it is integrated into production code or documentation. Organizations should also monitor their brands for suspicious registrations that mimic plausible internal or partner-facing naming conventions frequently output by LLMs.
Technical details
Phantom Squatting leverages the inherent probabilistic nature of LLMs, which may predict the next token in a URL structure as a plausible string rather than a factual one. Attackers use 'adversarial hallucination probing' to find these patterns. When an LLM generates a URL like 'hxxps[:]//api.[brand]-services[.]io', the attacker ensures they own that domain. Because the domain did not exist prior to the LLM's training or recent user behavior, it carries no negative reputation (a 'zero-reputation' state), allowing it to bypass legacy blocklists and security gateways.
Detection & hunting
Hunting & Monitoring
- Newly Registered Domains (NRD): Monitor for NRDs that match the brand name but follow 'hallucination-style' patterns (e.g., adding suffixes like
-api,-portal,-cloud, or-devto the brand). - Log Analysis: Audit HTTP logs and proxy traffic for requests originating from AI agent user-agents or developer IPs directed toward zero-reputation domains that match brand keywords.
- AI Tooling Logs: If using enterprise AI assistants, review prompts and outputs for URL generation to identify domains that do not exist or are not owned by the organization.
Recommended actions
Immediate Mitigation
- Treat all LLM-generated URLs as untrusted and perform manual or automated validation before use in code or configuration.
- Implement strict URL filtering that defaults to blocking 'Newly Registered Domains' (NRDs) within development environments.
Harden AI Workflows
- Incorporate brand-specific 'hallucination surface' monitoring into Threat Intelligence workflows.
- Provide developer training emphasizing the risks of using AI-generated API endpoints or documentation links without verification.
Detection and Monitoring
- Deploy advanced DNS security solutions that examine zero-reputation domains for behavioral anomalies.
Compliance relevance
Sources
Disclaimer: CyberBrief HQ articles are for informational purposes only and do not constitute security advice for any specific environment. Always validate guidance against your own controls and vendor advisories before acting.
