SuperDump

SuperDump is a custom .NET reconnaissance tool used by the intrusion cluster CL-UNK-1068. Palo Alto Networks Unit 42 reported the tool was deployed as early as 2020 during a years-long campaign targeting high-value organizations across South, Southeast, and East Asia. The broader activity targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors, and Unit 42 assessed with moderate-to-high confidence that the campaign’s primary objective was cyber espionage. Unit 42 also assessed with high confidence that CL-UNK-1068 is a Chinese threat actor. Within this campaign, SuperDump was specifically described as a reconnaissance tool used to collect host or environment information during post-compromise operations. The actor’s wider tradecraft included exploitation of web servers to deploy web shells, lateral movement, theft of IIS/web application files from c:\inetpub\wwwroot, harvesting browser data and office files, collecting MSSQL backup files, and exfiltrating archived data by Base64-encoding it with certutil and printing it through a web shell. Other tooling used alongside SuperDump in the same campaign included Godzilla, AntSword, FRP, Xnote, Mimikatz, LsaRecorder, PrintSpoofer, and the custom scanner ScanPortPlus. No SuperDump-specific indicators of compromise beyond its name, .NET implementation, reconnaissance role, and use by CL-UNK-1068 are directly provided in the content.