Full Report
High-value organizations located in South, Southeast, and East Asia have been targeted by a Chinese threat actor as part of a years-long campaign. The activity, which has targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors, has been attributed by Palo Alto Networks Unit 42 to a previously undocumented threat activity group dubbed
Analysis Summary
# Threat Actor: CL-UNK-1068
## Attribution & Identity
* **Actor Name:** CL-UNK-1068 (Cluster Unknown 1068)
* **Origin:** China (attributed with moderate-to-high confidence)
* **Associated Groups:** Linked via shared tooling to **Earth Berberoka** (aka **GamblingPuppet**).
* **Motivation:** Cyber Espionage (assessed with moderate-to-high confidence).
## Activity Summary
CL-UNK-1068 is a previously undocumented threat actor involved in a years-long campaign targeting high-value organizations across Asia. The group is known for long-term persistence, using a mix of custom malware, modified open-source tools, and living-off-the-land binaries (LOLBINs) to conduct espionage and data exfiltration.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of vulnerable web servers to deploy web shells.
* **Execution & Persistence:**
* DLL Side-loading using legitimate Python executables (`python.exe`, `pythonw.exe`).
* Deployment of Linux backdoors (Xnote) and web shells (Godzilla, ANTSWORD).
* **Credential Access:**
* Dumping memory passwords via Mimikatz.
* Hooking `LsaApLogonUserEx2` to record WinLogon passwords via LsaRecorder.
* Targeting `web.config` and database backup files (`.bak`) for credentials.
* **Lateral Movement/Discovery:**
* Batch scripts for host reconnaissance and environment mapping.
* Port scanning via custom Go-based tool (ScanPortPlus).
* **Exfiltration:**
* **Data Staging:** Archiving files using WinRAR.
* **"Screen Printing" Exfiltration:** Encoding archives to Base64 via `certutil -encode`, then using the `type` command to print the text output to the web shell interface, allowing data theft without a direct file transfer. [T1041] [T1132.001]
## Targeting
* **Sectors:** Aviation, Energy, Government, Law Enforcement, Pharmaceutical, Technology, and Telecommunications.
* **Geography:** South Asia, Southeast Asia, and East Asia.
* **Victims:** High-value organizations and critical infrastructure providers.
## Tools & Infrastructure
* **Web Shells:** Godzilla, ANTSWORD.
* **Backdoors/C2:**
* **Xnote:** Linux-based backdoor (active since 2015).
* **Fast Reverse Proxy (FRP):** For persistent access and tunneling.
* **Credential/Recon Tools:**
* **Mimikatz:** Credential harvester.
* **LsaRecorder:** Password recorder.
* **DumpItForLinux:** Memory dumping.
* **SuperDump:** Custom .NET reconnaissance tool (used since 2020).
* **ScanPortPlus:** Custom Go-based port scanner.
* **PrintSpoofer:** Privilege escalation tool.
## Implications
This actor demonstrates a high level of operational maturity, evidenced by their ability to remain undetected for several years. Their use of "screen-printing" for exfiltration bypasses traditional network monitoring that looks for outbound file transfers. The focus on critical infrastructure and high-tech sectors suggests a strategic intent to acquire intellectual property and state secrets to benefit Chinese interests.
## Mitigations
* **Web Server Hardening:** Regularly patch internet-facing web servers and audit the `C:\inetpub\wwwroot` directory for unauthorized web shells.
* **Monitor LOLBINs:** Alert on unusual executions of `certutil.exe` (specifically `-encode` flags) and the `type` command when invoked by web server service accounts.
* **Endpoint Detection:** Implement EDR rules to detect DLL side-loading via `python.exe` and `pythonw.exe`.
* **Identity Security:** Monitor for unauthorized use of `Mimikatz` and suspicious hooks into LSA processes.
* **Network Auditing:** Identify and block unauthorized reverse proxy traffic (e.g., FRP) at the network perimeter.