Ethical Hacking News
Nation-state hackers have unleashed a new malware called Airstalk, which is suspected to be part of a supply chain attack. With its sophisticated features and ability to evade detection, this malware poses a significant threat to organizations using business process outsourcing services.
The Airstalk malware is part of a likely supply chain attack, linked to a state-backed entity. The malware misuses the AirWatch API for mobile device management (MDM) to establish a covert command-and-control channel. The .NET variant has additional features compared to its PowerShell counterpart, including support for multiple browsers and file uploads. The Airstalk malware can exfiltrate sensitive information from web browsers, including cookies, browser history, bookmarks, and screenshots. The .NET variant mimics an AirWatch Helper utility to evade detection and uses multiple execution threads for different purposes. Organizations specializing in BPO are a prime target for both criminal and nation-state attackers due to their lucrative nature. The use of legitimate APIs like AirWatch MDM API highlights the vulnerability exposed by Airstalk within the BPO sector.
The cybersecurity landscape has witnessed a significant escalation in recent times, with nation-state actors being linked to various high-profile attacks. The latest such incident involves the deployment of a new malware called Airstalk, which is believed to be part of a likely supply chain attack. According to Palo Alto Networks Unit 42, the suspected threat actor behind this malware has been identified as a state-backed entity.
The Airstalk malware misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management. This allows it to establish a covert command-and-control (C2) channel primarily through the AirWatch feature to manage custom device attributes and file uploads. The malware appears in both PowerShell and .NET variants, with the latter being more capable than its PowerShell counterpart.
The Airstalk malware has been found to possess several intriguing features that make it stand out from other similar threats. For instance, its .NET variant is equipped with three additional message types – MISMATCH, DEBUG, and PING – which are not present in the PowerShell version. Furthermore, the .NET variant of Airstalk expands on the capabilities by also targeting Microsoft Edge and Island, an enterprise-focused browser.
One of the most notable aspects of this malware is its ability to upload files using the AirWatch feature for blob storage. This allows it to exfiltrate sensitive information, including cookies, browser history, bookmarks, and screenshots from web browsers. The malware supports several different actions, such as taking a screenshot, getting cookies from Google Chrome, listing all user Chrome profiles, collecting the browser history of a given Chrome profile, enumerating all files within the user's directory, and uninstalling itself from the host.
The Airstalk malware also features a unique approach in its .NET variant, which attempts to mimic an AirWatch Helper utility (AirwatchHelper.exe). This makes it more challenging for security systems to detect the malware. In addition, it uses three different execution threads, each of which serves a unique purpose: to manage C2 tasks, exfiltrate the debug log, and beacon to the C2 server.
Despite its sophisticated features, some of the .NET variant samples are signed with a "likely stolen" certificate signed by a valid certificate authority. The timestamps associated with these early iterations suggest that they were compiled as far back as June 28, 2024.
While the exact methods used by which this malware is distributed or who may have been targeted in these attacks remain unclear, it's possible to deduce some crucial insights from the nature of the threat. For instance, organizations specializing in business process outsourcing (BPO) appear to be a prime target for both criminal and nation-state attackers due to their lucrative nature. Furthermore, it is clear that this malware is designed to evade detection and maintain its presence indefinitely.
The use of AirWatch MDM API as part of the command-and-control channel highlights how attackers are utilizing legitimate APIs to gain unauthorized access into an organization's systems. Given the context, the most significant takeaway from this story revolves around the vulnerability that Airstalk has exposed within the BPO sector and what steps should be taken by organizations to mitigate such threats in the future.
In conclusion, Airstalk represents a new and sophisticated strain of malware that is capable of breaching even the most robust security systems. Its sophistication highlights the need for constant vigilance and proactive measures to shield against potential vulnerabilities. It also emphasizes the necessity for organizations to stay up-to-date with the latest security patches and best practices in order to minimize the risk of supply chain attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Nation-State-Hackers-Deploy-New-Airstalk-Malware-in-Suspected-Supply-Chain-Attack-ehn.shtml
https://thehackernews.com/2025/10/nation-state-hackers-deploy-new.html
Published: Fri Oct 31 13:03:05 2025 by llama3.2 3B Q4_K_M
