Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a previously undocumented Chinese threat actor, tracked as CL-UNK-1068, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across South, Southeast, and East Asia. Targeted sectors include aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications, with Unit 42 assessing moderate-to-high confidence that the primary objective is cyber espionage (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution.
The activity features exploitation of internet-facing web servers to deploy web shells and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and living-off-the-land binaries (LOLBINs). Reported tooling includes Godzilla and ANTSWORD web shells, the Xnote Linux backdoor, and Fast Reverse Proxy (FRP) for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., c:\inetpub\wwwroot) focusing on files such as web.config, .aspx, .asmx, .asax, and .dll, consistent with credential access and follow-on exploitation discovery.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes investigation and links CL-UNK-1068 to China
Palo Alto Networks Unit 42 disclosed its investigation into CL-UNK-1068, describing years of undetected operations and assessing with moderate-to-high confidence that the activity was primarily cyberespionage. The researchers assessed with high confidence that the cluster is a Chinese threat actor based on tool provenance, linguistic artifacts, and regional critical-infrastructure targeting, and released indicators of compromise.
Actor uses Linux and Windows tooling including PwnKit and vCenter exploit attempts
During the campaign, CL-UNK-1068 used a cross-platform toolkit that included modified FRP tunneling tools, the Xnote Linux backdoor, Mimikatz, LsaRecorder, DumpIt with Volatility, and DLL side-loading via legitimate Python executables. Unit 42 also observed attempted exploitation of VMware vCenter Server CVE-2023-34048 and use of Linux privilege escalation via PwnKit (CVE-2021-4034).
CL-UNK-1068 begins targeting high-value Asian sectors
A previously undocumented intrusion cluster later tracked as CL-UNK-1068 was active since at least 2020, targeting organizations across South, Southeast, and East Asia. Victims spanned government, critical infrastructure, telecommunications, technology, aviation, energy, law enforcement, and pharmaceutical sectors.
Threat actor conducts years-long web-server intrusions and espionage activity
Across the campaign, the actor exploited internet-facing or misconfigured web servers to deploy web shells such as GodZilla and an AntSword variant, then moved laterally to additional hosts and SQL servers. Post-compromise activity included credential theft, privilege escalation, tunneling, and theft of web application files, browser data, office documents, SQL-related data, and database backups.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Asian critical infrastructure subjected to clandestine Chinese hacking campaign | brief | SC Media
scworld.com
Open sourceWeb Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure
thehackernews.com
Open sourceChinese Cyber Threat Lurks In Critical Asian Sectors for Years
darkreading.com
Open sourceAn Investigation Into Years of Undetected Operations Targeting High-Value Sectors
unit42.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked CL-STA-1087 Spied on Southeast Asian Militaries With AppleChris and MemFun
Palo Alto Networks Unit 42 disclosed a long-running cyberespionage campaign, tracked as **CL-STA-1087**, that has targeted military organizations across Southeast Asia since at least 2020. The intrusions were aimed at collecting highly specific intelligence on military capabilities, organizational structures, **C4I** environments, joint military efforts, official meeting records, and cooperation with Western armed forces, rather than conducting broad data theft. Researchers said the activity was first uncovered after suspicious PowerShell behavior on an unmanaged endpoint exposed an already-established foothold, with the attackers using delayed execution, dormant periods lasting months, and reverse shells to preserve stealth and support long-term access. The operation used custom malware including the **AppleChris** backdoor, the in-memory **MemFun** backdoor, and **Getpass**, a modified Mimikatz-based credential theft tool. Investigators reported tradecraft including DLL hijacking, process hollowing, reflective DLL loading, timestomping, malicious Windows service creation, and lateral movement with WMI and native .NET tooling across domain controllers, web servers, IT workstations, and executive systems. Command-and-control traffic was hidden through dead-drop resolvers on legitimate services such as **Pastebin** and **Dropbox**, while infrastructure patterns, UTC+8 working hours, China-based cloud hosting, and Simplified Chinese artifacts led researchers to assess the campaign with moderate confidence as China-linked state-backed espionage.
Jun 8, 2026
China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple **China-linked espionage operations**, but they are not the same incident. One campaign tracked by Palo Alto Networks as **CL-STA-1087** targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the **AppleChris** and **MemFun** backdoors and a **Getpass** credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage. A separate report from Zscaler described a **China-nexus** intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver **PlugX**. That attack chain relied on a ZIP archive containing a deceptive `.lnk` file, which downloaded a malicious CHM file, used `hh.exe` for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of **CVE-2026-25185** in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to **FUNNULL** infrastructure rather than the China-linked espionage activity described in the relevant reports.
Mar 21, 2026
TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as **TGR-STA-1030** (also **UNC6619**) has been reported compromising government and critical-infrastructure organizations across **37 countries**, with broader reconnaissance activity against government infrastructure in **155 countries**. The operation—described as “**Shadow Campaigns**”—uses **phishing** (often impersonating government entities) and **N-day vulnerability exploitation** across multiple enterprise and edge products (including **SAP**, **Microsoft Exchange**, and **D-Link**) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth. Post-compromise activity includes deployment of **Diaoyu Loader** to stage frameworks and remote admin tooling such as **Cobalt Strike** and **VShell**, plus web shells and tunneling utilities. A notable capability is **ShadowGuard**, a **Linux eBPF rootkit** used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as **state-aligned and operating out of Asia**, citing indicators such as tooling, language preferences, activity patterns aligned to **GMT+8**, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to **China** but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
Mar 21, 2026