Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

SUMMARY :

A new Windows-based malware family called Airstalk has been discovered, available in PowerShell and .NET variants. It is believed to be used by a nation-state threat actor in a supply chain attack. Airstalk misuses the AirWatch API for mobile device management to establish covert command-and-control communications. The malware can exfiltrate sensitive browser data, including cookies, browsing history, and bookmarks. The .NET variant shows more advanced capabilities, including multi-threaded C2 protocol, versioning, and signed binaries. The threat actor, tracked as CL-STA-1009, likely targeted business process outsourcing companies to gain access to multiple organizations. The malware's evasion techniques and adaptive nature pose a significant threat, particularly in third-party vendor environments.

OPENCTI LABELS :

nation-state,supply chain,airstalk


AI COMMENTARY :

1. Suspected Nation-State Supply Chain Breach Overview A recent intelligence report has revealed that a suspected nation-state threat actor has deployed a new Windows-based malware known as Airstalk in a sophisticated supply chain attack targeting business process outsourcing companies. This adversary leveraged trusted relationships between third-party vendors and their enterprise clients to introduce the malware into multiple corporate environments without immediate detection.

2. Discovery of Airstalk and Malware Variants Security researchers identified two distinct variants of Airstalk, implemented in PowerShell and .NET. The initial PowerShell loader demonstrated basic command execution and data collection capabilities, while the .NET variant exhibited a hardened architecture. Both variants share a common goal of establishing clandestine communications with a remote control infrastructure operated by the threat actor.

3. Covert Command and Control via AirWatch API Airstalk distinguishes itself by abusing the AirWatch API, a legitimate mobile device management interface, to relay instructions and exfiltrate stolen data. By masquerading its network traffic as routine MDM queries and updates, the malware evades perimeter defenses and blends in with legitimate enterprise management operations. This misuse of the AirWatch API provides the adversary with resilient covert channels that can bypass traditional network monitoring tools.

4. Exfiltration of Sensitive Browser Data Once resident on an infected system, Airstalk systematically harvests sensitive browser artifacts, including cookies, browsing history, and bookmarks. The collected data often contains authentication tokens, session identifiers, and user preferences that facilitate further lateral movement or targeted phishing campaigns. By focusing on browser data, the actor gains a rich source of intelligence that can unlock access to web-based services and internal dashboards.

5. Advanced .NET Capabilities and Evasion The .NET variant of Airstalk introduces sophisticated features such as a multi-threaded command-and-control protocol, version management, and digitally signed binaries to avoid detection. Its modular design allows the actor to deliver updates and plugins dynamically, adapting to defensive measures in real time. The use of code signing and protocol versioning complicates reverse engineering and signature-based detection, enabling the malware to persist undetected for extended periods.

6. CL-STA-1009: A Nation-State Threat Actor Threat intelligence analysts have tracked the group behind Airstalk under the designation CL-STA-1009. Indicators point to a nation-state sponsor motivated by strategic espionage objectives rather than financial gain. By compromising business process outsourcing firms, CL-STA-1009 gains footholds in multiple organizations simultaneously, maximizing the impact of each successful intrusion and amplifying its ability to harvest sensitive corporate and personal data.

7. Supply Chain Risks to Third-Party Vendors The Airstalk campaign underscores the heightened risks inherent in modern supply chains, where breach of a single vendor can cascade across numerous downstream partners. Organizations relying on external managed services must recognize that attackers will exploit any trusted relationship to bypass traditional defenses. Comprehensive vendor assessments, strict access controls, and continuous monitoring of third-party integrations are essential to mitigate the threat of supply chain compromises.

8. Defensive Measures and Best Practices To defend against Airstalk and similar nation-state supply chain threats, enterprises should implement a layered security approach that includes robust endpoint protection, zero-trust network segmentation, and anomaly detection focused on unusual AirWatch API traffic patterns. Regular code integrity checks for signed binaries, stringent credential hygiene, and threat hunting exercises tailored to detect multi-threaded C2 activity will further reduce the risk. Collaboration with vendors to ensure transparent logging and rapid incident response capabilities remains a critical component of an effective defense posture.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack