Ethical Hacking News
CL-STA-0969, a state-sponsored threat actor, has been quietly infiltrating telecommunications networks across Southeast Asia, leaving behind a trail of covert malware installations and sophisticated defense evasion techniques. According to recent findings from Palo Alto Networks Unit 42, CL-STA-0969 has conducted a 10-month espionage campaign, showcasing its remarkable capabilities in breaching network security and establishing remote control over compromised systems.
CL-STA-0969 has conducted a 10-month espionage campaign in Southeast Asia, breaching network security and establishing remote control over compromised systems.The threat actor employed tools like Cordscan to facilitate remote access, but no data exfiltration was detected.CL-STA-0969 demonstrated operational security (OPSEC) techniques, including brute-force attacks and DNS tunneling, to avoid detection.The group shares similarities with other China-nexus espionage groups, such as Liminal Panda and Light Basin.Telcommunications organizations in Southeast Asia should remain vigilant and take proactive measures to prevent similar attacks.
In the realm of cyber espionage, few actors have managed to evade detection and remain shrouded in mystery for as long as CL-STA-0969 has. This state-sponsored threat actor has been quietly infiltrating telecommunications networks across Southeast Asia, leaving behind a trail of covert malware installations and sophisticated defense evasion techniques. According to recent findings from Palo Alto Networks Unit 42, CL-STA-0969 has conducted a 10-month espionage campaign, showcasing its remarkable capabilities in breaching network security and establishing remote control over compromised systems.
The attacks began in February 2024, with multiple incidents observed across the region, including one aimed at critical telecommunications infrastructure. It appears that CL-STA-0969 employed a combination of tools to facilitate remote access, including Cordscan, which can collect location data from mobile devices. However, Unit 42 researchers have found no evidence of data exfiltration from the networks and systems they investigated. Nor were any efforts made by the attackers to track or communicate with target devices within mobile networks.
The threat actor behind CL-STA-0969 has demonstrated a remarkable level of operational security (OPSEC), employing various defense evasion techniques to avoid detection. This includes using brute-force attacks against SSH authentication mechanisms for initial compromise, leveraging access to drop various implants such as Microsocks proxy, Fast Reverse Proxy (FRP), FScan, Responder, and ProxyChains. These tools enable the attackers to proxy traffic through other telecom nodes, tunnel data using less-scrutinized protocols, and disguise process names with convincing names that match the target environment.
CL-STA-0969's tactics also include DNS tunneling of traffic, routing traffic through compromised mobile operators, erasing authentication logs, disabling Security-Enhanced Linux (SELinux), and other defense evasion techniques. These efforts have allowed the threat actor to maintain persistent, stealthy access to the compromised networks and systems.
Interestingly, CL-STA-0969 shares significant overlaps with a cluster tracked by CrowdStrike under the name Liminal Panda, a China-nexus espionage group that has been attributed to attacks directed against telecommunications entities in South Asia and Africa since at least 2020. This cluster also overlaps with other reported groups and activity clusters, including Light Basin (aka UNC1945), which has also singled out the telecom sector since 2016.
The findings from Unit 42 have shed new light on the sophisticated tactics employed by CL-STA-0969. As the threat actor continues to evolve and adapt its methods, it is essential for telecommunications organizations in Southeast Asia to remain vigilant and take proactive measures to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Shadowy-World-of-CL-STA-0969-A-State-Sponsored-Threat-Actor-Weaving-a-Web-of-Deception-ehn.shtml
https://thehackernews.com/2025/08/cl-sta-0969-installs-covert-malware-in.html
Published: Sat Aug 2 12:42:01 2025 by llama3.2 3B Q4_K_M
