Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
Essential information
- Published
- 29/10/2025 12:35
- Modified
- 29/10/2025 18:36
- Tags
- 2025-10-29 airstalk nation-state supply-chain
- Related entities
- 6 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 3 others
Description
A new Windows-based malware family called Airstalk has been discovered, available in PowerShell and .NET variants. It is believed to be used by a nation-state threat actor in a supply chain attack. Airstalk misuses the AirWatch API for mobile device management to establish covert command-and-control communications. The malware can exfiltrate sensitive browser data, including cookies, browsing history, and bookmarks. The .NET variant shows more advanced capabilities, including multi-threaded C2 protocol, versioning, and signed binaries. The threat actor, tracked as CL-STA-1009, likely targeted business process outsourcing companies to gain access to multiple organizations. The malware's evasion techniques and adaptive nature pose a significant threat, particularly in third-party vendor environments.