CL-UK-1068: China-linked cyber-espionage campaign attacking critical sectors in Asia

A recent report by Palo Alto Networks Unit 42 has revealed a persistent campaign attributed to an actor linked to China who has been targeting high-value organizations in South, South-East and East Asia. According to researchers, targets include sensitive sectors such as aviation, energy, government agencies, security forces, pharmaceuticals, technology companies and telecommunications operators, drawing the profile of an operation with clear geostrategic and security implications.

The grouping, tagged by Unit 42 as CL-UNK-1068- where "CL" indicates "cluster" and "UNK" unknown motivation - uses a combination of custom tools, modified open source utilities and legitimate system binary (LOLBINS) to remain in compromised environments. The research team's own analysis describes a set of tactics that facilitate both persistence and stealth, with sufficient evidence for authors to evaluate the moderate to high confidence that the main objective is cyberespionage. You can read the full Unit 42 report here: Unit 42 - CL-UK-1068.

As for the technology used, attackers mix web shells known as Godzilla and ANTSWORD with Linux backdoors as Xnote, as well as components such as Fast Reverse Proxy (FRP) for access maintenance. Xnote, in particular, is not new to the threat ecosystem; it has been detected in nature since the mid-decade and has been associated with other campaigns. For technical context on Xnote and its early detection, review this analysis resource: Dr. Web - Xnote, and for examples of multi-level campaigns linked to backdoors, see Trend Micro's analysis of Earth Berberoka: Trend Micro - Earth Berberoka.

The intrusion pattern described by researchers begins with the exploitation of web servers to implement web shells and from there move laterally within the network. Once inside, the threat seeks specific files that may contain credentials or sensitive information: configuration files and binary files associated with web applications, browser histories and markers, spreadsheets and backups of MS-SQL (.bak) databases, among others. The attackers show a particular interest in the content of the IIS web directory (c:\ inetpub\ wwwroot), where they usually capture files that facilitate the climbing or collection of credentials.

One of the most striking details of the campaign is the exfiltration technique without direct file transfer: operators compress with WinRAR the relevant data, encode the resulting file in Base64 using the certutile system binary and then print that content on screen with the type command through the web shell. By turning the encoded file as text into the shell output, they avoid uploading files from the compromised server and elude controls that block direct transfers, a rudimentary but effective solution given the access they had to the remote console.

Precision in the use of legitimate tools is also remarkable. The attackers have abused Python executables ("python.exe" and "pythonw.exe") to perform ide-loading DLL techniques and run malicious DLL undercover; among the loads observed is FRP for persistent access, utilities like PrintSpoofer and an own scanner developed in Go called ScanPortPlus. This mix of legitimate and personalized components complicates detection by traditional solutions that base part of your strategy on blocking unknown executables.

On the front of the recognition and mapping of the environment, the group was not limited to public tools: since 2020 it made use of a .NET utility developed by themselves called SuperDump to collect host information. More recent intrusions show a transition to batch scripts that automate the cataloguing of the local system - an evolution that aims to optimize recognition prior to the exfiltration or climbing phases.

The removal of credentials has been systematic and multifaceted: memory dumping techniques with Mimikatz, hooks to the login subsystem using LsaRecorder-like tools that interfere with calls such as LsaApLogonUserEx2, and removal of hashes and artifacts from Linux systems with forensic utilities such as DumpItForLinux and Volatility Framework. To better understand the interface that is abused in Windows, Microsoft documents the LsaApLogonUserEx2 function here: LsaApLogonUserEx2 - Microsoft Docs.

In addition, tools have been observed to recover passwords stored by administrative utilities, such as those used by Microsoft SQL Server Management Studio (SSMS). These artifacts collection practices aim to obtain persistent credentials that allow side movements and access to sensitive data without the need to continuously exploit new vulnerabilities.

Unit 42 stresses that the campaign has been mounted on an open source resource base, community-shared malware and simple scripts, allowing them to hold covert operations for long periods and adapt to the target and the attacked operating system. The combination of common components and point customizations offers the attacker versatility and resilience to point blocks.

From a risk perspective, the geographical and sectoral concentration of the targets, along with the focus on the theft of credentials and exfiltration of critical information, makes the espionage hypothesis the most credible; yet, researchers warn that a more classic criminal background cannot be completely ruled out. The use of shared tools and simple techniques also opens up the possibility for other copycat actors or groups with different motivations to reuse parts of the toolkit.

For security teams and IT responsible, the signals to be observed include unusual executions of certutile or legitimate binaries in atypical contexts, presence of web shells on public web server routes, abnormal activity in Python processes used from web servers and access patterns to configuration files and backups. In addition, early detection benefits from continuous monitoring of file integrity, segmentation of web networks, implementation of multifactor authentication and aggressive rotation of administrative credentials.

If you want to deepen the technical methodology and IoCs that Unit 42 publishes, the original report is the best starting point and provides details for response and intelligence equipment: Unit 42 - CL-UK-1068. To learn more about the history of backdoors such as Xnote and related campaigns, check the historical detection analysis: Dr. Web - Xnote, and to see examples of how multilevel campaigns with backdoors and credentials theft operate, Trend Micro's work on Earth Berberoka provides useful context: Trend Micro - Earth Berberoka.

In short, we are facing an operation that combines the home and the community to achieve sophisticated objectives: small parts assembled with criteria can cause large leaks. The lesson for critical organizations is clear: it is not enough to protect against last-minute exploits; we must also monitor the abuse of legitimate profits and the most subtle patterns of recognition and exfiltration.