UNIT 42 describes CL-UNK-1068 as a cluster of undetected activity dating back to at least 2020, targeting high-value organisations across South, Southeast and East Asia with a focus on sectors including aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications.
The threat is attributed to a Chinese threat actor with high confidence, based on tool origins, linguistic artifacts in configuration files and consistent targeting of critical infrastructure in Asia; the attribution is framed according to Unit 42’s attribution framework. The attackers employ a versatile toolkit across Windows and Linux, using open-source utilities, community-shared malware and batch scripts, and have deployed web shells such as GodZilla and AntSword to gain initial access and move laterally.
They exfiltrate configuration files and sensitive data, and have used techniques like DLL side-loading of legitimate Python executables, FRP for tunneling, and custom tools such as ScanPortPlus and Xnote, which also provides DDoS capabilities in some variants. The report notes a long-running, espionage-leaning objective, while acknowledging the possibility of cybercrime motivations and extortion as secondary considerations.