Since at least 2020, a Chinese-affiliated cyber-espionage group known as CL-UNK-1068 has been secretly attacking vital infrastructure throughout South, Southeast, and East Asia This article explores malware used cl. . The campaign targets companies in the aviation, energy, government, law enforcement, technology, and telecommunications sectors, according to security researchers at Unit 42 (Palo Alto Networks).

Although some cybercriminal motives cannot be ruled out, experts believe the group's primary objective is espionage, gathering sensitive data from strategic targets. Threat Evaluation and Attack Methods Living-off-the-land binaries (LOLBINs), open-source tools, and custom malware are all used by CL-UNK-1068 to compromise Linux and Windows systems. Web shells like GodZilla and AntSword, which are widely used by Chinese threat actors for remote administration, are usually how the attackers obtain initial access.

Once inside, they employ a DLL side-loading technique to covertly load malicious payloads (python20.dll) into system memory by abusing legitimate Python executables (like python.exe). As a result, the malware can run without being detected by conventional antivirus software. In order to detect networked devices and open vulnerabilities, CL-UNK-1068 uses a custom Go-based scanner called ScanPortPlus for lateral movement.

The group uses a modified Fast Reverse Proxy (FRP) tool with Chinese-language identifiers and a unique authentication token called frpforzhangwei to ensure long-term persistence. The Xnote backdoor, which facilitates Distributed Denial-of-Service (DDoS) attacks via command-and-control (C2) communications over UDP and SYN protocols, is used by the attackers on Linux servers. The group also places a lot of emphasis on data exfiltration and credential theft.

Instead of using direct file transfers, which could raise suspicions, they use WinRAR to compress configuration files, Base64 to encrypt them, and print the text straight to the terminal. Additionally, researchers have seen credential data being extracted directly from memory using programs like Mimikatz, DumpIt, and LsaRecorder. It has been noted that threat actors use a variety of offensive tools for persistence and intrusion.

To obtain initial access and facilitate lateral movement across compromised servers, web shells such as GodZilla and AntSword are usually used. Sometimes a malicious python20.dll is used to execute dangerous shellcode directly in memory by exploiting python.exe through DLL side-loading. Additionally, organizations ought to: Block tunneling tools and unapproved proxies. Use cutting-edge endpoint security tools, such as Cortex XDR, to identify anomalous process activity.

Update Next-Generation Firewalls' Threat Prevention signatures (94655, 91671, 91662). Use tools like Cortex Xpanse to identify and secure assets that are exposed to the internet. This continuous espionage activity highlights the increasing sophistication of cyber operations connected to China that target Asia's critical infrastructure.