A highly sophisticated cyber espionage group, designated as CL-UNK-1068, has been actively targeting critical infrastructure across South, Southeast, and East Asia since at least 2020.
Originating from China, the threat actors focus on high-value sectors, including aviation, energy, government, law enforcement, technology, and telecommunications.
The attackers use a versatile mix of custom malware, open-source utilities, and living-off-the-land binaries (LOLBINs) to compromise both Windows and Linux environments effectively.
Researchers at Unit 42 assess with high confidence that the group’s primary motive is cyber espionage, though cybercriminal activities cannot be entirely ruled out.
Threat Analysis and Attack Techniques
CL-UNK-1068 initiates its attacks by deploying popular web shells, such as GodZilla and AntSword, to establish an initial foothold.
Once inside the network, they leverage a unique DLL side-loading technique using legacy Python executable files like python.exe.
This method allows them to stealthily load malicious files, such as python20.dll, to decrypt and execute dangerous payloads directly within the computer’s memory space.
For lateral movement, the group utilizes custom tools like ScanPortPlus, a multi-platform network scanner built in Go.
To maintain persistent access and bypass network firewalls, they deploy a modified Fast Reverse Proxy (FRP) featuring unique Chinese identifiers, such as the authentication token “frpforzhangwei” and a hardcoded password.
Additionally, the attackers target Linux servers with the Xnote backdoor, which is primarily used for launching Distributed Denial-of-Service (DDoS) attacks.
The group focuses heavily on credential theft and sensitive data exfiltration.
They use a clever technique to steal website configuration files by archiving them with WinRAR, converting the archive to text using Base64 encoding, and printing the text on their screen to avoid direct file transfers.
For stealing passwords, they rely on tools like Mimikatz, LsaRecorder, and Volatility to extract password hashes directly from the machine’s memory.
| Tool / File Indicator | Type / Context | Description |
|---|---|---|
| GodZilla / AntSword | Web Shell | Used for initial access and lateral movement across servers. |
| python.exe / python20.dll | DLL Side-Loading | Legitimate Python binaries used to load malicious shellcode in memory. |
| ScanPortPlus | Custom Scanner | Go-based tool for IP, port, and vulnerability scanning on compromised networks. |
| frpforzhangwei | Custom FRP Token | Modified Fast Reverse Proxy for persistent access and firewall evasion. |
| Xnote | Linux Backdoor | Deployed on Linux servers to execute various CC, UDP, and SYN Flood DDoS attacks. |
| SuperDump / hp.bat | Reconnaissance | Custom .NET tool and batch scripts used to gather local system telemetry. |
| LsaRecorder / DumpIt | Credential Theft | Tools used to hook login callbacks and dump password hashes from machine memory. |
Detection and Mitigation Strategies
Defending against CL-UNK-1068 requires organizations to move beyond static indicators and closely monitor for behavioral anomalies.
Security teams must watch for the misuse of legitimate Python binaries, the execution of unauthorized tunneling tools, and the deployment of unrecognized batch scripts (like hp.bat or hpp.bat) used for system reconnaissance.
Protecting critical assets involves identifying exposed servers and monitoring for unusual outbound communications.
The Cortex XDR Analytics Engine flags uncommon Linux process communications and unauthorized access to sensitive files like /etc/hosts.
To effectively mitigate the threat posed by CL-UNK-1068, organizations should focus on several key defense categories:
- Behavioral Monitoring: Security teams must monitor for abnormal Python executions, the use of custom batch scripts like
rar.batorhp.bat, and any unusual SQL database queries that could indicate reconnaissance or data exfiltration. - Network Defense: Defenders should proactively block unauthorized tunneling tools, such as modified FRP, and continuously monitor network traffic for outbound Command and Control (C2) patterns.
- Endpoint Security: Deploying advanced endpoint protection, such as Cortex XDR, is critical for detecting uncommon process communications and blocking unauthorized access to sensitive Linux files like
/etc/hosts. - Firewall Protection: Organizations should apply the latest Threat Prevention signatures (including 94655, 91671, and 91662) through Next-Generation Firewalls (NGFW) to automatically block known attack vectors associated with this group.
- Vulnerability Management: Security teams are advised to use attack surface management tools like Cortex Xpanse to quickly identify and secure exposed assets, particularly VMWare vCenter Server devices facing the public internet.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
