editorially independent. We may make money when you click on links
to our partners.
Learn More
A new, sophisticated malware campaign dubbed Airstalk has been uncovered by Palo Alto Networks’ Unit 42, which links the activity to a suspected nation-state threat actor.
The malware, available in both PowerShell and .NET variants, is being tracked under the identifier CL-STA-1009.
The campaign is believed to be part of a broader supply chain attack, targeting trusted enterprise environments through compromised management systems.
When MDM Becomes the Backdoor
Airstalk abuses the AirWatch API, part of VMware’s Workspace ONE Unified Endpoint Management platform.
Instead of using traditional command-and-control (C2) infrastructure, Airstalk turns the MDM system itself into a covert communications channel.
According to Palo Alto Networks researchers, the malware uses legitimate AirWatch features — such as custom device attributes and file uploads — to exchange data secretly with its operators.
This allows attackers to blend into normal enterprise traffic and evade detection.
The PowerShell variant establishes persistence via scheduled tasks and uses the API’s /api/mdm/devices/ endpoint for communication.
It can execute multiple commands, including taking screenshots, harvesting browser cookies and history, collecting bookmarks, and exfiltrating files.
The stolen data is uploaded using the MDM’s blob storage function, which the malware repurposes for data exfiltration.
Airstalk Evolves with the .NET Variant
The more advanced .NET version of Airstalk builds upon these capabilities with additional features, targeting not only Google Chrome but also Microsoft Edge and Island, an enterprise-focused browser.
It masquerades as a legitimate AirWatch utility, AirwatchHelper.exe, adding stealth and persistence through multi-threaded execution and new message types such as MISMATCH, DEBUG, and PING.
Each execution thread in the .NET variant serves a specific role: task management, beaconing, and log exfiltration.
The malware continuously uploads debugging logs, executes attacker-defined tasks, and exfiltrates sensitive information.
Among its capabilities are browser profile extraction, file enumeration, cookie dumping, and URL manipulation. Some functions appear incomplete, suggesting active development.
Further investigation revealed that several .NET samples were signed with a likely stolen certificate issued to Aoteng Industrial Automation (Langfang) Co., Ltd. — a legitimate Chinese company.
The certificate was revoked within minutes of issuance, implying that attackers likely used it quickly to gain trust before revocation took effect.
The Supply Chain in the Crosshairs
While the exact distribution vector remains unknown, Unit 42 suspects the malware was deployed through a supply chain compromise, potentially targeting the business process outsourcing (BPO) sector.
Such organizations often act as intermediaries with privileged access to client networks, making them high-value targets for espionage.
BPOs provide specialized services to multiple clients simultaneously, often operating outside direct corporate security controls.
A successful intrusion into one of these vendors can grant attackers indirect access to multiple downstream organizations.
As Unit 42 notes, this strategy mirrors recent high-profile supply chain intrusions that exploited trusted third-party software and service providers.
The CL-STA-1009 cluster appears to be part of a broader nation-state effort to infiltrate enterprises indirectly by compromising the digital supply chains they rely upon.
With Airstalk’s stealth and flexibility, adversaries can observe network behavior, harvest credentials, and sustain long-term access — all while masquerading as legitimate management activity.
Defense in a Compromised Ecosystem
Airstalk’s use of trusted enterprise APIs as a C2 mechanism represents an emerging and dangerous trend.
By embedding malicious activity into systems designed for security and administration, attackers bypass traditional perimeter defenses and endpoint detection solutions.
Moreover, the ability to steal browser cookies and session data could allow adversaries to hijack authenticated sessions and impersonate users across critical systems.
This risk multiplies when attackers compromise service providers managing multiple clients, potentially exposing sensitive data across entire industries.
To defend against similar threats, organizations can layer security controls that include:
- Continuous behavioral monitoring to detect unusual API usage or data transfer patterns.
- Restricting API access and enforcing least privilege principles within MDM systems.
- Validating the integrity of code-signing certificates and monitoring for newly issued or revoked certificates.
- Employing threat intelligence and endpoint detection capable of identifying API abuse and covert channels.
- Conducting regular supply chain risk assessments and third-party audits.
Blending In to Break In
The Airstalk campaign highlights the growing sophistication of nation-state cyber operations.
By exploiting trusted enterprise management tools, attackers can blend seamlessly into normal network activity, quietly exfiltrating sensitive data over time.
As the boundary between legitimate administration and malicious behavior fades, defenders must evolve — focusing not just on known indicators of compromise but on detecting the subtle behavioral anomalies that reveal hidden threats before they escalate into full-scale supply chain breaches.
