Skip to main content
Mallory
Back to threat actors
🇨🇳 CN18 malware familiesExploits CVEs in the wild

CL-UNK-1068

Also known asCL-UNK-1068

CL-UNK-1068 is a previously undocumented threat cluster tracked by Palo Alto Networks Unit 42 and assessed with high confidence to be a Chinese threat actor. Unit 42 reports the group has targeted high-value organizations across South, Southeast, and East Asia since at least 2020, including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors. Unit 42 assesses with moderate-to-high confidence that the campaign’s primary objective is cyber espionage, while noting cybercriminal intent cannot be fully ruled out. Observed tradecraft includes exploitation of web servers for initial access and deployment of web shells, including GodZilla and a variation of AntSword, followed by lateral movement to additional hosts and SQL servers. The actor operates across both Windows and Linux environments and uses a mix of custom malware, modified open-source utilities, and living-off-the-land binaries. Reported tooling includes modified Fast Reverse Proxy (FRP) for persistent access and firewall bypass, the Xnote Linux backdoor, a custom Go-based scanner called ScanPortPlus, and DLL side-loading via legitimate python.exe or pythonw.exe with a malicious loader DLL. Post-compromise activity includes reconnaissance, privilege escalation, credential theft, and exfiltration of sensitive data. Unit 42 observed use of Mimikatz, LsaRecorder, DumpIt or DumpItForLinux with the Volatility Framework, the SQL Server Management Studio Password Export Tool, and in some reporting usql. The actor stole browser history and bookmarks, XLSX and CSV files, MSSQL .bak database backups, and web application files from c:\inetpub\wwwroot, including web.config, appsettings.json, and .aspx, .asmx, .asax, and .dll files. In observed cases, stolen data was archived with WinRAR, Base64-encoded with certutil -encode, and printed through the web shell using the type command to exfiltrate data without direct file transfer. The content does not provide any confirmed aliases or sub-groups beyond the tracking name CL-UNK-1068.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Transportation
  • Energy
  • Software & Services
  • Telecommunication Services
  • Health Care Equipment & Services

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

32 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics42 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190×5
Exploit Public-Facing Application
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1059.006
Python
T1203
Exploitation for Client Execution
T1574
Hijack Execution Flow
T1574.001
DLL
TA0003
Persistence
2 techniques
T1112
Modify Registry
T1505
Server Software Component
T1505.003×5
Web Shell
TA0004
Privilege Escalation
2 techniques
T1068
Exploitation for Privilege Escalation
T1134
Access Token Manipulation
TA0005
Stealth
4 techniques
T1027
Obfuscated Files or Information
T1070
Indicator Removal
T1070.001
Clear Windows Event Logs
T1134
Access Token Manipulation
T1574
Hijack Execution Flow
T1574.001
DLL
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0006
Credential Access
3 techniques
T1003×4
OS Credential Dumping
T1003.001×2
LSASS Memory
T1003.002
Security Account Manager
T1056
Input Capture
T1552
Unsecured Credentials
T1552.001
Credentials In Files
TA0007
Discovery
5 techniques
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1046×2
Network Service Discovery
T1082×2
System Information Discovery
T1087
Account Discovery
TA0008
Lateral Movement
1 technique
T1021×2
Remote Services
T1021.001
Remote Desktop Protocol
TA0009
Collection
4 techniques
T1005
Data from Local System
T1056
Input Capture
T1213
Data from Information Repositories
T1560×2
Archive Collected Data
T1560.001
Archive via Utility
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1090
Proxy
T1090.001×2
Internal Proxy
T1132×2
Data Encoding
T1572
Protocol Tunneling
TA0040
Impact
1 technique
T1498
Network Denial of Service
ARSENAL

Associated malware families

18 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AntSwordWe observed the attackers deploying the GodZilla web shell, and a variation of AntSword4Mar 14, 2026
GodZillaWe observed the attackers deploying the GodZilla web shell, and a variation of AntSword3Mar 14, 2026
LsaRecorderOther tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool.3Mar 11, 2026
MimikatzOther tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool.3Mar 11, 2026
DumpItThe actor also deploys DumpIt... in combination with the widely known Volatility Framework to extract password hashes from memory.2Mar 9, 2026

13 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2021-4034PwnKit local privilege escalation in polkit pkexecIn the wildEvidence1

PwnKit: CVE-2021-4034 Attackers deployed PwnKit, a self-contained exploit (CVE-2021-4034) to achieve local privilege escalation on Linux systems.

CVE-2023-34048Unauthenticated RCE in VMware vCenter Server DCERPCIn the wildEvidence1

Custom Python EXE: CVE-2023-34048 ... This appears to be exploitation of CVE-2023-34048, a vulnerability in VMware vCenter Server that allows for remote code execution.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
ctoatncsc substackNews
Mar 14, 2026
CTO at NCSC Summary: week ending March 15th

Chinese threat cluster targeting high-value organizations across Asia, using web shells for initial access and lateral movement into additional hosts and SQL servers.

Read more
scworldNews
Mar 10, 2026
Asian critical infrastructure subjected to clandestine Chinese hacking campaign | brief | SC Media

Covert, multi-year intrusion campaign assessed as likely espionage-focused, exploiting misconfigured web servers to deploy webshells, conduct lateral movement, steal credentials, and exfiltrate sensitive data (e.g., browser history, spreadsheets, database backups) across Windows and Linux environments.

Read more
the hacker newsNews
Mar 9, 2026
Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure

Previously undocumented China-linked activity cluster assessed as primarily conducting long-term cyber-espionage against high-value organizations in South/Southeast/East Asia. Operations include web server exploitation to deploy web shells, lateral movement, credential theft, and stealthy data exfiltration (e.g., Base64-encoding archives and printing via web shell output). Tooling spans Windows and Linux and mixes custom malware, modified open-source utilities, and LOLBIN usage.

Read more
dark readingNews
Mar 9, 2026
Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

Long-running cyberespionage activity cluster targeting critical infrastructure and government-linked sectors across Asia, using web server exploitation and web shells for initial access, then credential theft and data exfiltration across Windows and Linux.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping32

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal18

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

CL-UNK-1068 | Mallory