ACCORDING to Palo Alto Networks Unit 42, high-value organisations in South, Southeast and East Asia have been targeted in a years-long campaign by a Chinese threat actor, with the activity attributed to a previously undocumented group dubbed CL-UNK-1068.
The attackers have pursued cyber espionage objectives across aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications sectors, using a multi‑faceted toolset that includes custom malware, modified open-source utilities and living-off-the-land binaries to maintain a persistent presence.
The campaign targets both Windows and Linux environments, leveraging web shells, LOLBINs and tools such as Godzilla, ANTSWORD, Xnote and FRP, alongside credential‑theft and data‑exfiltration capabilities that rely on Mimikatz and related utilities. CL-UNK-1068 has also used a range of credential‑theft tools—LsaRecorder, DumpItForLinux, Volatility, and SSMS Password Export Tool—to extract password data and other sensitive information from compromised hosts.
Notably, the group has demonstrated novel exfiltration techniques, encoding archives with Base64 and printing them to screen via the web shell to avoid direct file transfers.