A Chinese-speaking threat actor has been operating against critical infrastructure sectors across Asia for several years. Tracked as CL-UNK-1068 by Palo Alto Networks’ Unit 42, the group uses a combination of custom software, open-source tools, and living-off-the-land binaries (LOLBins) across both Windows and Linux environments.
According to a recent report by Unit 42, CL-UNK-1068 has focused on aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications organizations in South, Southeast, and East Asia since at least 2020.
"Using primarily open source tools, community-shared malware, and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations," noted Unit 42 researcher Tom Fakterman.
The group typically gains initial access by targeting vulnerabilities in web servers and deploying web shells, including GodZilla and variations of AntSword. Once established, the threat actors use these interfaces to move laterally to additional hosts and SQL servers.
The primary objectives of these operations appear to be credential theft and the exfiltration of sensitive data. Unit 42 links the activity to a Chinese-speaking group based on language artifacts, tool origins, and "their consistent, long-standing targeting of critical infrastructure in Asia." While the focus strongly points to espionage, researchers note they "cannot yet fully rule out cybercriminal intention."
Cross-platform operations and toolsets
The group demonstrates high versatility, operating smoothly across Windows and Linux by "using different versions of their tool set for each operating system." After gaining unauthorized access, the actor conducts reconnaissance and privilege escalation.
CL-UNK-1068 extracts credentials using memory-dumping utilities like Mimikatz and LsaRecorder. They also utilize DumpIt, a free multiplatform forensics tool, alongside the Volatility Framework to retrieve password hashes from memory. Another core component of their toolkit is ScanPortPlus, a custom Go-based network scanner compiled for both Linux and Windows.
To maintain persistence while evading detection, the actor relies heavily on DLL side-loading through legitimate Python executables. This technique allows their malicious files to run under trusted processes. For command-and-control (C2) and network routing, the group deploys modified versions of Fast Reverse Proxy (FRP) and occasionally installs the Xnote Linux backdoor.
Defending against persistent infrastructure threats
While Unit 42 has not definitively attributed the group to a specific known entity, the targeting aligns with other well-documented state-sponsored campaigns, such as Salt Typhoon's operations against US telecommunications and the APT41 spinoff "Silver Dragon" recently observed by Check Point in Asia.
To protect against these advanced persistent threats, Unit 42 recommends that security teams monitor for specific behavioral anomalies. Organizations should look for the misuse of legitimate Python binaries for side-loading, the presence of unauthorized tunneling tools like FRP, and the execution of custom reconnaissance batch scripts.
Fakterman advises defenders to actively scan for credential-dumping utilities like Mimikatz, inspect unusual RAR compression and Base64 encoding activity, harden internet-facing web servers, and continuously monitor for web shell deployments. To support these defensive efforts, the Unit 42 report provides a comprehensive list of indicators of compromise (IoCs) that organizations can integrate into their detection pipelines.