216.73.216.86

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

· Published 06/03/2026 15:06 · Modified 09/03/2026 09:30

Export JSON

Essential information

Published
06/03/2026 15:06
Modified
09/03/2026 09:30
Tags
2026-03-06 antsword cyberespionage fast reverse proxy godzilla scanportplus sliver superdump xnote
Related entities
3 vulnerabilities (cve), 34 observables, 1 intrusion sets (apt), 10 techniques (mitre), 7 malware, 7 others

Description

Since 2020, a Chinese threat actor dubbed CL-UNK-1068 has been targeting high-value organizations across South, Southeast and East Asia, focusing on critical sectors like aviation, energy, government, and telecommunications. The group employs a diverse toolkit including custom malware, modified open-source utilities, and living-off-the-land binaries to maintain stealthy persistence. Their techniques involve web shell deployment, DLL side-loading attacks, and credential theft. The attackers exfiltrate sensitive data, including configuration files and database backups. While primarily assessed as an espionage operation, cybercriminal motivations cannot be fully ruled out. The activity demonstrates sophisticated cross-platform capabilities, targeting both Windows and Linux environments.

External references