Nation-state group CL-STA-0969 targeted Southeast Asian telecoms in 2024

Nation-state group CL-STA-0969 targeted Southeast Asian telecoms in 2024

Pierluigi Paganini
August 04, 2025

State-backed group CL-STA-0969 hit Southeast Asian telecoms in 2024, targeting critical infrastructure, says Palo Alto Networks’ Unit 42.

Palo Alto Networks reported that a nation-state actor, tracked as CL-STA-0969, targeted telecom firms in Southeast Asia, with attacks on critical infrastructure from February to November 2024.

Threat actor CL-STA-0969 overlaps with the China-linked cyber espionage group Liminal Panda. The threat actor also showed overlap with groups like Light Basin, UNC3886, UNC2891, and UNC1945, using a mix of custom and public tools such as Microsocks, FRP, FScan, and Responder, as well as exploits for known vulnerabilities like CVE-2016-5195, CVE-2021-4034, and CVE-2021-3156. The group maintained strong OPSEC, staying undetected through DNS tunneling, routing via compromised mobile networks, log clearing, and disguising process names.

The researchers haven’t found evidence of data exfiltration, they used tools like Cordscan in an attempt to collect mobile device location data. The group sets up resilient remote access, likely for future espionage operations.

Between February and November 2024, the APT group targeted critical telecommunications infrastructure, likely gaining access through brute-force attacks on authentication systems. Using custom tools like AuthDoor, GTPDoor, ChronosRAT, and NoDepDNS, they exploited telecom protocols such as SSH, ICMP, DNS, and GTP for covert access and command-and-control. To maintain stealth, they used PAM backdoors, disguised processes, tampered with logs, and disabled SELinux, demonstrating deep knowledge of telecom environments and strong operational security.

“Despite their high level of OPSEC, substantial evidence points to attackers gaining initial access via SSH brute force. To do this, they used a well-tuned account dictionary list that included built-in accounts specific to telecommunications equipment.” reads the report published by Palo Alto Networks.

Below is the list of tools used by threat actor CL-STA-0969:

• AuthDoor: A PAM backdoor that captures user credentials by hooking into authentication functions. It supports hardcoded password access, updates stolen credentials in a hidden log, and can execute files from a specific directory for persistent access.
• Cordscan: A network scanning and packet capture tool tailored for telecom environments. It targets SGSN nodes to extract IMSI and operator data. It crafts and sends GTP packets to scan for specific mobile subscribers, logging results in a .pcap file.
• GTPDoor: A Linux implant that uses GTP-C signaling (UDP port 2123) to tunnel C2 traffic within telecom networks, supporting beaconing and remote code execution. It bypasses traditional detection tools due to its use of telecom-specific protocols.
• EchoBackdoor: A passive ICMP-based backdoor that listens for encrypted instructions in echo request packets. It reconstructs and executes commands and replies via ICMP echo replies, avoiding outbound connections and making detection harder.
• SGSN Emulator: Emulates an SGSN node using the OsmoGGSN project to create tunnels to mobile operators via GRX. It connects with IMSI/MSISDN pairs and sets up a SOCKS proxy for data exfiltration, routing traffic through tun interfaces.
• ChronosRAT: A modular Linux RAT that ensures persistence via a watchdog process. It includes AES-encrypted TCP C2, dynamic RSA key updates, and modules for remote shell, keylogging, screenshots, port forwarding, file management, and SOCKS proxy.
• NoDepDNS: A stealthy Go-based backdoor using DNS tunneling over port 53. It decodes commands embedded in DNS response IP addresses using XOR encryption and executes them, but does not return output. Monitored and maintained by shell scripts.

“CL-STA-0969 demonstrates a deep understanding of telecommunications protocols and infrastructure. Its malware, tools and techniques reveal a calculated effort to maintain persistent, stealthy access. It achieved this by proxying traffic through other telecom nodes, tunneling data using less-scrutinized protocols and employing various defense evasion techniques. Organizations relying on legacy hosts and services within the targeted infrastructure increases vulnerability to such attacks.” conludes the report.

“CL-STA-0969’s multi-pronged operational strategy, combining technical expertise with environmental adaptation, underscores the need for vigilant security measures and proactive threat intelligence.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CL-STA-0969)