Nation-State Actors Weaponize ROADtools for Cloud Intrusions, Unit 42 Warns
Unit 42 warns that nation-state threat actors are actively weaponizing the open-source ROADtools framework for Azure AD reconnaissance, token theft, and persistent cloud access.
The open-source offensive security framework ROADtools has crossed the line from red-team utility to a weapon wielded by nation-state actors in cloud intrusions, according to a new report from Palo Alto Networks' Unit 42. Published on May 22, 2026, the research details how adversaries leverage ROADtools' legitimate Microsoft API interactions to enumerate Entra ID environments, steal authentication tokens, and establish persistent access while evading detection.
ROADtools, written in Python, consists of two primary modules. The `roadrecon` module performs deep discovery within Entra ID (formerly Azure AD), extracting users, groups, roles, devices, service principals, and directory configurations. Results are stored in a local SQLite database viewable through a custom web interface, giving attackers a graphical map of an organization's identity infrastructure. The `roadtx` (Token eXchange) module handles OAuth 2.0 and OpenID Connect flows, enabling attackers to acquire and exchange tokens, register devices, replay stolen tokens, and bypass multi-factor authentication.
A key aspect of ROADtools' appeal to adversaries is its ability to operate through legitimate Microsoft APIs while customizing user-agent strings—making malicious traffic blend in with normal administrative activity. Unit 42 notes that the original `roadrecon` module queried the retiring Azure AD Graph API. A community-maintained fork has partially migrated to Microsoft Graph API, but fragmentation means inconsistent functionality, though attackers can still enumerate Entra ID resources effectively.
Unit 42 traces nation-state misuse of ROADtools back to late 2021, when Microsoft first reported Cloaked Ursa (APT29 / Midnight Blizzard) using the framework after spear-phishing campaigns. More recently, a targeted phishing campaign in early 2025 involved tooling matching ROADtools' token management capabilities. The report highlights that ROADtools enables discovery, persistence, and defense evasion—three pillars of advanced persistent threat operations.
The report provides straightforward hunting queries to detect ROADtools usage, focusing on anomalous Graph API calls, device registration patterns, and token refresh sequences. Unit 42 also offers practical mitigation recommendations, including monitoring for rogue device registrations, enforcing conditional access policies, and requiring token binding to limit token replay.
Palo Alto Networks customers are protected through Cortex Cloud, Cortex XDR/XSIAM, and the Unit 42 Cloud Security Assessment service, which reviews cloud infrastructure for misconfigurations. The report underscores a broader trend: nation-state actors increasingly repurpose legitimate open-source offensive tools to lower the barrier to sophisticated cloud attacks, making detection and response more challenging for defenders.
As cloud adoption accelerates, the weaponization of tools like ROADtools signals that identity-layer attacks are becoming the new frontier in cyber espionage. Organizations must assume that stealth enumeration of their Entra ID tenants is an early indicator of a targeted intrusion campaign.