A previously undocumented threat actor believed to be linked to China has been targeting high-value organizations across South, Southeast, and East Asia in a long-running cyber espionage campaign.
The campaign, tracked by Palo Alto Networks Unit 42, has been attributed to a threat actor tracked as CL-UNK-1068. Researchers say the attackers have targeted organizations in critical sectors including aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications.
The group uses a diverse toolkit combining custom malware, modified open-source utilities, and legitimate system tools to maintain long-term access inside compromised networks.
The attackers deploy several well-known web shell tools, including Godzilla and ANTSWORD, as well as the Linux backdoor Xnote and Fast Reverse Proxy (FRP) to maintain remote access. The tools have previously been associated with multiple Chinese cyber operations.
Typical attacks begin with the exploitation of vulnerable web servers. Once access is gained, the attackers deploy web shells, move laterally through networks, and collect sensitive files from targeted systems. researchers found the group specifically searched for files such as web.config, .aspx, .dll, and other server components in Windows web server directories.
The hackers also gathered browser history, spreadsheets, and database backups from compromised machines. The group was observed using an unusual method for data exfiltration that involved compressing files with WinRAR, encoding them with the Windows certutil command, and printing the encoded text through the web shell instead of transferring files directly.
Researchers also observed the attackers exploiting legitimate Python executables to perform DLL side-loading attacks, allowing malicious programs to run while appearing as normal system processes.
In addition, the group used credential-stealing tools such as Mimikatz and several custom utilities to extract passwords, map networks, and harvest data from Microsoft SQL Server environments.