AN undefined Chinese-speaking threat actor is waging long-running cyberespionage against critical Asian infrastructure, using a mix of custom malware, open source tools, and living-off-the-land binaries across Windows and Linux. The threat cluster, tracked as CL-UNK-1068, has targeted aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications organisations across South, Southeast, and East Asia since at least 2020, according to Unit 42.
Attackers gain initial access by exploiting Web servers and deploying Web shells, including the GodZilla Web shell, and a variation of AntSword, then move laterally to additional hosts and SQL servers. Their activities aim to credential theft and the exfiltration of sensitive data, with Unit 42 noting a link to China based on language, tools, and targeting patterns.
CL-UNK-1068’s toolkit spans Mimikatz, LsaRecorder, and DumpIt with the Volatility Framework to extract password hashes, plus a custom Go-based ScanPortPlus network scanner for both Linux and Windows. To maintain persistence and evade detection, they employ DLL side-loading via legitimate Python binaries and deploy tools such as FRP and the Xnote Linux backdoor.