{ "name": "Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack", "slug": "suspected-nation-state-threat-actor-uses-new-airstalk-malware-in-a-supply-chain-attack", "description": "A new Windows-based malware family called Airstalk has been discovered, available in PowerShell and .NET variants. It is believed to be used by a nation-state threat actor in a supply chain attack. Airstalk misuses the AirWatch API for mobile device management to establish covert command-and-control communications. The malware can exfiltrate sensitive browser data, including cookies, browsing history, and bookmarks. The .NET variant shows more advanced capabilities, including multi-threaded C2 protocol, versioning, and signed binaries. The threat actor, tracked as CL-STA-1009, likely targeted business process outsourcing companies to gain access to multiple organizations. The malware's evasion techniques and adaptive nature pose a significant threat, particularly in third-party vendor environments.", "published": "2025-10-29T11:35:47+00:00", "created_at": "2025-10-29T11:35:47+00:00", "modified_at": "2025-10-29T17:36:31+00:00", "created_at_opencti": "2025-10-29T11:35:47+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-10-29", "airstalk", "nation-state", "supply-chain" ], "related_entities": { "observables": [ { "id": "", "name": "dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533" }, { "id": "", "name": "b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b" }, { "id": "", "name": "4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5" }, { "id": "", "name": "3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5" }, { "id": "", "name": "1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5" }, { "id": "", "name": "0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde" } ], "malware": [ { "id": "legacy:malware:5a1fa81117d392c0", "name": "Airstalk", "slug": "airstalk" } ], "intrusion_sets": [ { "id": "9be31891-6ace-4a32-aae5-24ad968cba01", "name": "CL-STA-1009", "slug": "cl-sta-1009" } ], "attack_patterns": [ { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420", "name": "T1102.002" }, { "id": "6a146066-5a78-493c-a26a-133b62c1149e", "name": "T1588.002" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "743d2e0c-e5d5-4ccb-a6bd-0035c4e88c37", "name": "T1176" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ], "others": [ { "id": "", "name": "Technology" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk", "https://otx.alienvault.com/pulse/69020a23f92a6a4f07b76acb" ] }