Executive Summary

A newly identified malware family, Airstalk, has emerged as a significant threat in the cybersecurity landscape, representing a sophisticated supply chain attack attributed to a suspected nation-state actor. Airstalk leverages the trusted AirWatch (now VMware Workspace ONE UEM) MDM API as a covert command-and-control (C2) channel, enabling attackers to exfiltrate sensitive browser data and screenshots from compromised endpoints. The malware is distributed in both PowerShell and .NET variants, with the latter exhibiting advanced multi-threaded capabilities and modular design. The campaign primarily targets business process outsourcing (BPO) providers, exploiting their privileged access to infiltrate multiple client environments. The attackers employ a stolen code-signing certificate to evade detection, and the abuse of legitimate enterprise management infrastructure allows the malware to blend seamlessly into normal network activity. This report provides a comprehensive technical analysis of Airstalk, its tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The threat actor behind Airstalk is tracked as activity cluster CL-STA-1009 by Palo Alto Networks Unit 42. While there is no direct attribution to a specific advanced persistent threat (APT) group, the use of a stolen code-signing certificate issued to a Chinese industrial automation company and the observed TTPs suggest a likely Chinese nexus. The actor demonstrates a high level of operational security, leveraging supply chain vectors to gain initial access and utilizing trusted enterprise management APIs for C2 and data exfiltration. The campaign’s focus on BPO providers indicates a strategic intent to maximize access to downstream client environments, consistent with the objectives of state-sponsored cyber-espionage operations. The actor’s technical sophistication is further evidenced by the rapid revocation of the stolen certificate and the modular, evolving nature of the malware.

Technical Analysis of Malware/TTPs

Airstalk is distributed in two primary variants: a PowerShell script and a compiled .NET binary. Both variants exploit the AirWatch/Workspace ONE UEM API, specifically the /api/mdm/devices/ endpoint for C2 communications and the /api/mam/blobs/uploadblob endpoint for file exfiltration. The malware encodes C2 messages as JSON objects within custom device attributes, effectively creating a “dead drop” channel that is difficult to distinguish from legitimate MDM traffic.

The PowerShell variant is relatively straightforward, supporting tasks such as screenshot capture, Chrome browser cookie theft, file listing, and the exfiltration of Chrome profiles, bookmarks, and history. It achieves persistence via scheduled tasks and can self-uninstall upon command. The .NET variant is significantly more advanced, featuring multi-threaded C2 communication, support for additional browsers including Microsoft Edge and Island Browser, and the ability to exfiltrate debug logs. It implements a versioning system (with versions 13 and 14 observed in the wild), supports beaconing, and can uninstall itself by setting a specific flag in the MDM API. Notably, the .NET binaries are signed with a stolen certificate from Aoteng Industrial Automation (Langfang) Co., Ltd., which was revoked within minutes of issuance, indicating a high level of operational discipline.

The C2 protocol is designed for stealth and resilience. Message types include CONNECT, CONNECTED, ACTIONS, and RESULT in the PowerShell variant, with the .NET variant adding MISMATCH, DEBUG, and PING messages. The use of trusted MDM infrastructure for C2 and exfiltration allows the malware to bypass traditional network security controls, as traffic to the MDM API is typically whitelisted in enterprise environments. The modular architecture of Airstalk suggests ongoing development, with several unimplemented tasks observed in the codebase.

Exploitation in the Wild

The initial access vector for the Airstalk campaign is believed to be a supply chain compromise, specifically targeting BPO providers with privileged access to multiple client environments. Once inside a BPO network, the attackers deploy Airstalk to managed Windows endpoints, leveraging the MDM infrastructure to move laterally and maintain persistence across organizational boundaries. The malware exfiltrates browser data and screenshots via the MDM API, using blob uploads to conceal the transfer of sensitive files. The use of signed binaries and timestamp manipulation further complicates detection, as the malware appears to be a legitimate, trusted application. The campaign has been observed in the wild since at least mid-2024, with ongoing development and refinement of the malware’s capabilities.

Victimology and Targeting

The primary victims of the Airstalk campaign are BPO providers, which serve as critical nodes in the supply chains of numerous organizations across various sectors. By compromising BPOs, the attackers gain access to a wide array of client environments, amplifying the impact of the attack. The geographic focus of the campaign is not explicitly stated in public reporting, but the use of a Chinese code-signing certificate and the TTPs employed suggest a likely focus on organizations with strategic value to Chinese state interests. Any enterprise leveraging BPO services, particularly those with privileged access to sensitive business systems, should consider themselves at elevated risk. The targeting of endpoints with Chrome, Microsoft Edge, or Island Browser installed further indicates a focus on harvesting credentials and session data for subsequent exploitation.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risk posed by Airstalk and similar supply chain threats. Continuous monitoring for anomalous use of MDM APIs, particularly the creation or modification of custom device attributes and the use of blob uploads, is essential. Security teams should audit all code signing certificates in use within their environment and block any that are known to be compromised, including the certificate issued to Aoteng Industrial Automation (Langfang) Co., Ltd.. Scheduled tasks on managed endpoints should be regularly reviewed for signs of unauthorized persistence mechanisms. Proactive threat hunting for the provided indicators of compromise (IOCs), including file hashes, certificate details, and suspicious API usage, should be conducted using EDR, XDR, and SIEM platforms. Behavioral monitoring for unusual browser data access and exfiltration patterns can help detect malicious activity that evades traditional signature-based defenses. Finally, organizations should ensure that access to MDM APIs is tightly controlled, with strong authentication and least-privilege principles enforced.

References

• Palo Alto Networks Unit 42: New Windows-Based Malware Family Airstalk

• The Hacker News: Nation-State Hackers Deploy New Airstalk Malware

• IBM X-Force Exchange: Airstalk OSINT

• GBHackers: Airstalk Malware Analysis

• CyberPress: Airstalk Malware Coverage

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our platform empowers security teams to identify emerging threats, prioritize remediation efforts, and ensure compliance with industry best practices. For more information about how Rescana can help safeguard your organization against supply chain attacks and other advanced threats, we invite you to contact us.

We are happy to answer questions at ops@rescana.com.