Cybersecurity

Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack

2025-10-31 0 views admin
Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.

Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009, where "CL" stands for cluster and "STA" refers to state-backed motivation.

"Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management," security researchers Kristopher Russo and Chema Garcia said in an analysis. "It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads."

Unit 42 said the .NET variant of Airstalk is equipped with more capabilities than its PowerShell counterpart, suggesting it could be an advanced version of the malware.

The PowerShell variant, for its part, utilizes the "/api/mdm/devices/" endpoint for C2 communications. While the endpoint is designed to fetch content details of a particular device, the malware uses the custom attributes feature in the API to use it as a dead drop resolver for storing information necessary for interacting with the attacker.

Once launched, the backdoor initializes contact by sending a "CONNECT" message and awaits a "CONNECTED" message from the server. It then receives various tasks to be executed on the compromised host in the form of a message of type "ACTIONS." The output of the execution is sent back to the threat actor using a "RESULT" message.

"Some tasks require sending back a large amount of data or files after Airstalk is executed," Unit 42 said. "To do so, the malware uses the blobs feature of the AirWatch MDM API to upload the content as a new blob."

The .NET variant of Airstalk expands on the capabilities by also targeting Microsoft Edge and Island, an enterprise-focused browser, while attempting to mimic an AirWatch Helper utility ("AirwatchHelper.exe"). Furthermore, it supports three more

Source: The Hacker News

🏷️ Tags

hacksecuritymalwareai

More from Cybersecurity

Lastpass 2022 Breach Led To Years-long Cryptocurrency Thefts, Trm...

Lastpass 2022 Breach Led To Years-long Cryptocurrency Thefts, Trm...

2025-12-25 0
Fortinet Warns Of Active Exploitation Of Fortios SSL VPN 2fa Bypass...

Fortinet Warns Of Active Exploitation Of Fortios SSL VPN 2fa Bypass...

2025-12-25 0
Cisa Flags Actively Exploited Digiever Nvr Vulnerability Allowing...

Cisa Flags Actively Exploited Digiever Nvr Vulnerability Allowing...

2025-12-25 0
Fake Mas Windows Activation Domain Used To Spread Powershell Malware

Fake Mas Windows Activation Domain Used To Spread Powershell Malware

2025-12-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views