Skip to main content
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

CL-STA-1132

Also known ascl_sta_1132

CL-STA-1132 is a threat activity cluster tracked by Palo Alto Networks Unit 42 and assessed in the provided reporting as likely state-sponsored or state-linked, with unknown provenance. Unit 42 attributed observed exploitation of CVE-2026-0300 to this cluster. The activity centered on exploitation of the critical PAN-OS User-ID Authentication Portal (Captive Portal) vulnerability CVE-2026-0300 to achieve unauthenticated remote code execution and root-level access on exposed PA-Series and VM-Series firewalls, particularly internet-exposed or untrusted-zone-accessible Authentication Portal instances. Reported post-exploitation tradecraft included injecting shellcode into an nginx worker process, executing arbitrary commands on compromised firewalls, deleting logs, crash artifacts, core dumps, and other forensic evidence, and maintaining low-noise access through intermittent interactive sessions over multiple weeks. The cluster reportedly used open-source tooling rather than custom malware, including EarthWorm and ReverseSocks5 for tunneling/proxying, and favored memory-based execution and native system capabilities. Reported follow-on activity included credential theft from compromised firewalls, Active Directory enumeration using likely stolen or firewall-linked service account credentials, internal pivoting, and use of tunneling to support command and control and lateral movement. One report also states the attackers triggered SAML floods to force high-availability failover and repeat the intrusion chain on secondary firewalls. The campaign is described as focused on enterprise perimeter infrastructure, critical infrastructure, and high-value enterprise networks, with an espionage-oriented emphasis on stealth, persistence, and long-term access rather than disruptive effects. The content notes attempted exploitation as early as 2026-04-09, successful compromise about a week later in at least one case, and limited but active in-the-wild exploitation observed around disclosure. No aliases or sub-groups beyond the tracking name CL-STA-1132 are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics24 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1190×4
Exploit Public-Facing Application
TA0002
Execution
2 techniques
T1059×2
Command and Scripting Interpreter
T1059.004×2
Unix Shell
T1203×3
Exploitation for Client Execution
TA0003
Persistence
1 technique
T1078×2
Valid Accounts
TA0004
Privilege Escalation
2 techniques
T1068×2
Exploitation for Privilege Escalation
T1078×2
Valid Accounts
TA0005
Stealth
3 techniques
T1027
Obfuscated Files or Information
T1027.011
Fileless Storage
T1070×4
Indicator Removal
T1070.004
File Deletion
T1078×2
Valid Accounts
TA0006
Credential Access
1 technique
T1003
OS Credential Dumping
TA0007
Discovery
3 techniques
T1016×2
System Network Configuration Discovery
T1018
Remote System Discovery
T1087
Account Discovery
T1087.002
Domain Account
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1090×4
Proxy
T1090.002
External Proxy
T1105
Ingress Tool Transfer
T1572
Protocol Tunneling
TA0040
Impact
1 technique
T1498
Network Denial of Service
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
EarthwormРазвёртывание EarthWorm и ReverseSocks5 для SOCKS5-туннелирования3May 24, 2026
ReverseSocks5Развёртывание EarthWorm и ReverseSocks5 для SOCKS5-туннелирования3May 24, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2026-0300Unauthenticated RCE in Palo Alto PAN-OS User-ID Authentication Portal (Captive Portal)In the wildEvidence6

6 мая 2026 года CISA добавила CVE-2026-0300 в каталог Known Exploited Vulnerabilities. Дедлайн на устранение - три дня, до 9 мая. Решение SSVC - Act: эксплуатация активна, атака автоматизируема, technical impact - total... CVE-2026-0300 - buffer overflow типа CWE-787 (Out-of-bounds Write) в сервисе User-ID Authentication Portal (Captive Portal) PAN-OS.

IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
codebyNews
May 17, 2026
CVE-2026-0300 PAN-OS: buffer overflow до root - разбор

Observed exploiting CVE-2026-0300 in PAN-OS User-ID Authentication Portal to gain pre-auth root access on internet-exposed firewalls, then using the compromised firewall as a pivot point into internal networks.

Read more
secpod blogNews
May 11, 2026
CL-STA-1132 Weaponizes PAN-OS RCE for Silent Root-Level Takeovers - SecPod Blog

State-sponsored threat cluster conducting targeted exploitation of Palo Alto PAN-OS edge infrastructure for stealthy long-term access, espionage, credential theft, and lateral movement.

Read more
security affairsNews
May 7, 2026
Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks

Likely state-sponsored activity cluster exploiting the PAN-OS zero-day CVE-2026-0300 to gain unauthenticated remote code execution on exposed firewalls, inject shellcode into nginx worker processes, deploy tunneling tools, enumerate Active Directory with stolen credentials, and destroy logs to hide compromise.

Read more
scworldNews
May 7, 2026
Palo Alto Networks says patch for exploited PAN-OS firewall bug forthcoming | news | SC Media

A likely state-sponsored activity cluster exploiting CVE-2026-0300 in PAN-OS to gain unauthenticated remote code execution with root privileges on exposed firewalls, inject shellcode into nginx worker processes, erase forensic evidence, deploy tunneling tools for outbound C2, enumerate Active Directory, and trigger SAML floods to force HA failover and repeat compromise on secondary firewalls.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.