Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

Oct. 29, 2025, 6:36 p.m.

Description

A new Windows-based malware family called Airstalk has been discovered, available in PowerShell and .NET variants. It is believed to be used by a nation-state threat actor in a supply chain attack. Airstalk misuses the AirWatch API for mobile device management to establish covert command-and-control communications. The malware can exfiltrate sensitive browser data, including cookies, browsing history, and bookmarks. The .NET variant shows more advanced capabilities, including multi-threaded C2 protocol, versioning, and signed binaries. The threat actor, tracked as CL-STA-1009, likely targeted business process outsourcing companies to gain access to multiple organizations. The malware's evasion techniques and adaptive nature pose a significant threat, particularly in third-party vendor environments.

External References

https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk
https://otx.alienvault.com/pulse/69020a23f92a6a4f07b76acb
Tags
supply chain
nation-state
2025-10-29
airstalk

Date

  • Created: Oct. 29, 2025, 12:35 p.m.
  • Published: Oct. 29, 2025, 12:35 p.m.
  • Modified: Oct. 29, 2025, 6:36 p.m.

Indicators

  • dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533
  • b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b
  • 4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5
  • 3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5
  • 1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5
  • 0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde
Download all indicators here!

Attack Patterns

  • Airstalk
  • CL-STA-1009

Additional Informations

  • Technology
  • Defense
  • Government