A Chinese threat actor known as CL-UNK-1068 has spent years conducting a cyber espionage campaign against high-value organizations across South, Southeast, and East Asia. By targeting critical sectors like aviation, energy, and government using a mix of custom malware and open-source tools, the group maintains persistent access to steal sensitive data and credentials.
A newly identified Chinese threat actor, designated as CL-UNK-1068, has been conducting an extensive cyber espionage campaign targeting various high-value sectors across Asia. The group has focused its efforts on industries including aviation, energy, telecommunications, and government agencies. Security researchers indicate that the primary goal of these operations is to maintain a long-term presence within the networks of these organizations to facilitate the theft of sensitive information.
The attackers utilize a diverse toolkit that works across both Windows and Linux environments. This arsenal includes custom malware and modified open-source utilities, as well as living-off-the-land binaries that help the group remain undetected. Specific tools identified in these attacks include the Godzilla and ANTSWORD web shells, the Xnote Linux backdoor, and Fast Reverse Proxy. These tools allow the group to establish a foothold and move laterally through a victim's network after initially exploiting web servers.
During the exploitation phase, the group prioritizes the collection of specific file types from web server directories, such as configuration and library files, to discover vulnerabilities or harvest credentials. They also target user data including browser histories, bookmarks, and office documents located on desktops. Furthermore, the actors have been observed seeking out database backup files from MS-SQL servers to gain access to large repositories of organizational data.
The group employs a unique method for exfiltrating the stolen data once it has been gathered. After archiving the desired files using WinRAR, they convert the archives into Base64-encoded text using standard system commands. Instead of traditional file transfers, they use a command to print the encoded content directly to their screen through a web shell. This allows them to manually capture the data strings without triggering common network alerts associated with large file uploads.
This activity has been linked to broader patterns of Chinese state-sponsored hacking, sharing similarities with groups like Earth Berberoka. By combining well-known web shells with persistent backdoors that have been in use for nearly a decade, CL-UNK-1068 demonstrates a sophisticated ability to adapt existing tools for specialized espionage missions. The multi-faceted approach ensures they can compromise a wide variety of infrastructure across the Asian continent.
Source: Web Server Exploits And Mimikatz Used In Attacks On Asian Critical Infrastructure