An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

March 9, 2026, 9:30 a.m.

Description

Since 2020, a Chinese threat actor dubbed CL-UNK-1068 has been targeting high-value organizations across South, Southeast and East Asia, focusing on critical sectors like aviation, energy, government, and telecommunications. The group employs a diverse toolkit including custom malware, modified open-source utilities, and living-off-the-land binaries to maintain stealthy persistence. Their techniques involve web shell deployment, DLL side-loading attacks, and credential theft. The attackers exfiltrate sensitive data, including configuration files and database backups. While primarily assessed as an espionage operation, cybercriminal motivations cannot be fully ruled out. The activity demonstrates sophisticated cross-platform capabilities, targeting both Windows and Linux environments.

External References

https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
https://otx.alienvault.com/pulse/69aaed7070e810571c939251
Tags
sliver
cyberespionage
godzilla
antsword
2026-03-06
fast reverse proxy
scanportplus
superdump
xnote

Date

  • Created: March 6, 2026, 3:06 p.m.
  • Published: March 6, 2026, 3:06 p.m.
  • Modified: March 9, 2026, 9:30 a.m.

Indicators

  • 5c986203242e2ed25458b0606ee7be57070f6d66b7472b453d92b1b6786443bd
  • d8378cf105146217e6ded438187c4ea0edcadb6cf27f5eeddda3fd80cce76d72
  • ce20c033dcadf17d9cca325869f946efdd82ab0756fa56e262b6f573252d457c
  • d6ed94589b0e6a7c3e1a6052e18f3962ca78c385c78036972d5ea72c07a5772c
  • 26483f0886078cc9f5f9912d3ffce1301e297b435920ab1c86c9107bbdce4db2
  • 8a3345f0d8f1a7d78ea485ae11358cf2ae3d51cb7975524d6d67ba05a08a37ea
  • 082a55731f972cd15e103104229a68175a8c59a52bae05daa8ed4302df7c2dec
  • 99bd09e1c500866b2b809fd9170f1b8b7e120da21a1f2eed6165fcf81bf519b7
  • f7c73b1ac9aff545b184ec7121f2bc706c5064dc3c17f59e9a39469031bf2ef6
  • 0d03934eb181c2befbc5341208c4eb8f939e00382ac632216397b8210225c937
  • 0c7db12ec29f333bf5f53dc5c73ec446b2265fca3aad5144c3569409e15123cb
  • 524734501be19e9ed1bfab304b0622a2263a4f9e3db0971f3fae93f7e7369c20
  • 8d3907d56b1dd1609053cb55dd66f33499e1ea091133df76d8fe6f08f25f37b2
  • e1ff808321ce952384b7fff720584c48ec0fd36480d6bc9ac0d5db036102c368
  • 3e698c85660e2c012b3db7f47ca3f2b1af2b6b0e0a0d2bdb7903f91cf9d31732
  • 3b2b6a3ee023dfa168f257b292a28f5fbdbacb5aa2250e1efb36e650529db1b5
  • 96f52e4666aa8df67f8d7d00a523cd25e11402108157156775603b3d9514925c
  • cfdcbc553bc7464aedfb6758b0a38acc78d9537eabe9717e60ab0d8d3b355225
  • c880936ba0ca153719c2cca33c1925a9480d28abc88cf4daa02f34cc8cc1c9e5
  • 6ddbfd3a96834087501f0c9415a925cafdb92cb8ff34685f138833b4795416d6
  • f710dc61c2edc85841fd733a17b7977dfb889d6476c59bb3c54a5b2fd393ac13
  • cfcbb3014ecc560ba36103213b36fc62d6b0ef22c49067ff0d860fd7253a7c94
  • cdb90179188a142d24147edcb72be8b574fac4f6833fff15a6ee803754dec0c0
  • edc0287da3c6bb62a7b2fd3949be5688628fc0e893b5822bd5734a63c39f7ab1
  • f6ac9e5e76bc9daf4772c5be43c9eac1d2611caafd49fac70bbb8eebfa4781ac
  • b87cee18720c176c1972cf5c74e3c09877177e0c49c34a04b910bb3c70839b71
  • fb9400d763a009b3bd2b9468410e0c69ee8a4f58400e532f086cef749422210d
  • 52c817465a56ccd0fb4e914a3274a9e9a93e872583e6239bc6461e4f3e40c567
  • e9541e8afa502e13c18734756270b10e3c07f1071283387e63c8f8b0ba591343
  • 43.255.189.67
  • 107.148.33.60
  • 107.148.130.22
  • 79.141.169.123
  • 107.148.51.251
Download all indicators here!

Attack Patterns

  • SuperDump
  • AntSword
  • Sliver
  • Xnote
  • ScanPortPlus
  • Fast Reverse Proxy
  • GodZilla
  • CL-UNK-1068

Additional Informations

  • Energy
  • Pharmacy and drugs manufacturing
  • Telecommunications
  • Technology
  • Central administration and government
  • Government
  • Air transport

Linked vulnerabilities

CVE-2021-4034

None
Published:

CVE-2023-34048

None
Published:

CVE-2026-0628

8.8
    Google
  • Chrome
Published: January 7, 2026