Researchers at Unit 42, the threat intelligence team at Palo Alto Networks, uncovered a long-running cyber intrusion cluster, tracked as CL-UNK-1068, that has been targeting high-value organizations across South, Southeast, and East Asia since at least 2020. The campaign focuses on critical sectors including aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications. Analysts assess with high confidence that the activity is linked to Chinese-speaking operators based on linguistic artifacts in malware and the origin of the tools used.
According to the researchers, the attackers rely on a mix of custom malware, open-source utilities, and living-off-the-land binaries to infiltrate networks while maintaining a low profile. Initial access often involves deploying web shells such as GodZilla or AntSword, followed by stealth techniques like DLL side-loading via legitimate Python executables to execute malicious payloads in memory. The group also uses a custom network scanner called ScanPortPlus and tunneling tools, such as Fast Reverse Proxy, to maintain persistent command-and-control access within compromised environments.
Once inside victim networks, CL-UNK-1068 conducts reconnaissance, steals credentials, and exfiltrates sensitive data using tools such as Mimikatz, LsaRecorder, DumpIt, and the Volatility framework. The attackers have also been observed collecting configuration files, database backups, and other sensitive records, then encoding and exfiltrating the data via command output to avoid detection. Researchers say targeting patterns and focus on strategic sectors strongly suggest an espionage objective, although some cybercriminal motivations cannot be entirely ruled out.
Unit 42’s detailed analysis of the tool set deployed by the attackers behind CL-UNK-1068 across different intrusion campaigns since 2020. “While these attacks demonstrate a consistent set of techniques and procedures (TTPs), it is important to note that not every tool was used in every observed intrusion. Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities and living-off-the-land binaries (LOLBINs). These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments.”
“The CL-UNK-1068 activity cluster is characterized by cross-platform cyber capabilities, maintaining a diverse set of tools for both Windows and Linux environments,” according to the researchers. “Their TTPs rely heavily on open-source utilities and malware variants popular with Chinese-speaking users, including GodZilla, AntSword, Xnote and Fast Reverse Proxy (FRP). One of the techniques we observed in these attacks is the use of legitimate Python executables to launch DLL side-loading attacks. This approach enables the attackers to stealthily load additional payloads.”
They also noted that initial access to environments targeted in the CL-UNK-1068 activity is achieved by deploying and utilizing various web shells. “We observed the attackers deploying the GodZilla web shell, and a variation of AntSword, both of which are written in a combination of English and Simplified Chinese. After gaining an initial foothold, the attackers use these web shells to move laterally to additional hosts and SQL servers.”
Researchers at Unit 42 analyzed several notable tools and utilities used by the attackers behind the CL-UNK-1068 intrusion cluster across multiple campaigns since 2020. The group has relied on techniques such as DLL side-loading through legacy Python executables to stealthily load malicious code into trusted processes.
The attackers also deployed a custom multi-platform scanning toolkit known as ScanPortPlus to identify accessible services and map victim networks. For communication and persistence, they used a modified version of the Fast Reverse Proxy (FRP) tunneling tool that included unique identifiers to manage command-and-control traffic across compromised systems.
In addition, the operators installed the Xnote Linux backdoor to maintain long-term access to targeted environments and conducted host-level reconnaissance to gather system information, credentials, and other sensitive data needed to expand their foothold inside victim networks.
The attackers used a credential theft toolset that included Mimikatz and LsaRecorder to extract authentication credentials from compromised systems. They also relied on DumpIt and the Volatility memory forensics framework to capture and analyze system memory to recover additional sensitive information. In addition, the operators used an SQL Server Management Studio password export tool to extract stored database credentials and gain further access to targeted environments.
In conclusion, Unit 42 assesses with high confidence that CL-UNK-1068 represents activity from a threat group that communicates in Chinese. The cluster has targeted high-value sectors across South, Southeast, and East Asia since at least 2020. By relying largely on open-source tools, community-shared malware, and batch scripts, the operators have maintained relatively stealthy operations while infiltrating critical organizations across the region.
“This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system,” the post added. “While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intentions.”
Unit 42 advises defenders to move beyond relying solely on static indicators and instead focus on identifying behavioral anomalies within their environments. Detection logic should be tuned to flag hallmark techniques associated with this activity cluster. In the case of CL-UNK-1068, warning signs include the misuse of legitimate Python binaries to perform DLL side-loading, the deployment of unauthorized tunneling tools such as Fast Reverse Proxy (FRP), and the execution of custom batch scripts designed for system and network reconnaissance.
