Chinese Threat Actor CL-UNK-1068 Targets Asian Critical Infrastructure Across Seven Sectors in Years-Long Espionage Campaign

Palo Alto Networks Unit 42 has disclosed a years-long espionage campaign by a previously undocumented Chinese threat group designated CL-UNK-1068 targeting high-value organizations across seven critical infrastructure sectors in South, Southeast, and East Asia.

The campaign, assessed with moderate-to-high confidence as cyber espionage, targets aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors using a versatile toolkit spanning both Windows and Linux environments.

Attack Methodology

CL-UNK-1068 gains initial access by exploiting web servers to deploy web shells, then moves laterally across victim networks using a combination of custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs).

Typical attack chains proceed through:

1. Web server exploitation — deploys Godzilla and ANTSWORD web shells for persistent command execution
2. File harvesting — steals web server configuration files (web.config, .aspx, .asmx, .asax, .dll) from IIS directories to discover credentials and vulnerabilities
3. Data collection — targets browser history and bookmarks, Excel and CSV files from desktops and user directories, and database backup files from MS-SQL servers
4. Lateral movement — pivots through compromised networks using legitimate tools and custom scanners

Novel Exfiltration Technique

In cases where the web shell allowed command execution and output viewing but not direct file transfer, CL-UNK-1068 employed a creative workaround:

• Archive target files using WinRAR
• Base64-encode the archives using certutil -encode
• Print the encoded content to screen using the type command through the web shell

This allowed the attackers to exfiltrate data as text output without ever uploading files — bypassing file transfer restrictions entirely.

Cross-Platform Toolkit

The group operates across Windows and Linux with tailored toolsets for each:

Web shells: Godzilla and ANTSWORD for persistent server access

Backdoors: Xnote — a Linux backdoor active since 2015, previously associated with Earth Berberoka (GamblingPuppet)

Tunneling: Fast Reverse Proxy (FRP) deployed via DLL sideloading through legitimate Python executables (python.exe, pythonw.exe) for persistent access

Scanning: ScanPortPlus — a custom Go-based network scanner for internal reconnaissance

Reconnaissance: SuperDump — a custom .NET tool used for host enumeration dating back to 2020, recently supplemented by batch scripts for host information collection and environment mapping

Privilege escalation: PrintSpoofer for Windows privilege escalation

Extensive Credential Theft Arsenal

CL-UNK-1068 deploys a wide range of credential harvesting tools:

• Mimikatz — dumps passwords from memory
• LsaRecorder — hooks LsaApLogonUserEx2 to capture WinLogon passwords in real time
• DumpItForLinux + Volatility Framework — extracts password hashes from Linux memory
• SQL Server Management Studio Password Export Tool — extracts SSMS connection credentials from sqlstudio.bin

The breadth of credential theft tooling — spanning Windows memory, Linux memory, live logon hooking, and database management credentials — indicates systematic efforts to gain the deepest possible access to victim environments.

Attribution Context

While formally designated as "unknown motivation," the targeting of critical infrastructure and government sectors combined with the focus on credential theft and sensitive data exfiltration strongly suggests espionage. The toolset shares overlaps with multiple Chinese hacking groups — Godzilla, ANTSWORD, Xnote, and FRP are all commonly used across China-nexus threat activity.

Unit 42 notes the group has maintained stealthy operations for years using primarily open-source tools and community-shared malware, demonstrating that sophisticated espionage campaigns don't require custom zero-days — just patience, persistence, and operational discipline.

Defender Recommendations

• Harden web servers — patch internet-facing web servers promptly and monitor for web shell deployment, particularly Godzilla and ANTSWORD indicators
• Monitor for certutil abuse — flag certutil -encode execution followed by type commands as a potential exfiltration indicator
• Detect DLL sideloading via Python — alert on python.exe or pythonw.exe loading unsigned DLLs, particularly FRP components
• Hunt for credential theft tools — monitor for Mimikatz, PrintSpoofer, and LsaRecorder artifacts across Windows endpoints
• Protect database credentials — audit access to sqlstudio.bin and restrict SQL Server Management Studio credential storage
• Monitor Linux environments equally — CL-UNK-1068 operates across both OS families; ensure Linux servers receive the same threat hunting attention as Windows
• Audit IIS directories — watch for unauthorized access to c:\inetpub\wwwroot and bulk reads of configuration files