Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Airstalk malware abusing AirWatch MDM APIs for covert C2

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Airstalk malware activity linked to CL-STA-1009 is abusing AirWatch/Workspace ONE MDM APIs for covert command-and-control and data theft, increasing stealth risk in enterprise environments. The PowerShell and .NET variants can capture screenshots and harvest cookies, browser history, and bookmarks. The .NET build expands targeting to Microsoft Edge and Island while mimicking AirWatch Helper behavior. Early samples were compiled on June 28, 2024, and some artifacts appear signed with a likely stolen certificate.

Related Happenings

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

AppleChris, MemFun, and Getpass malware activity with persistent C2 and credential theft

Malware Activity
First: 13.03.2026 19:33 Last: 13.03.2026 19:33 Sources 1

About this happening: The intrusion used **AppleChris**, **MemFun**, and **Getpass** to keep access on compromised **Windows** endpoints and steal credentials. The backdoors supported **persistence**,...

Open Happening

GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions

Campaign
First: 02.02.2026 07:04 Last: 02.02.2026 07:04 Sources 1

About this happening: The **GlassWorm** campaign has evolved into a **multi-stage malware operation** that uses **rogue packages** across **npm, PyPI, GitHub, and Open VSX** to gain an initial foothold...

Open Happening

AshTag modular .NET backdoor deployment via sideloading

Malware Activity
First: 11.12.2025 13:00 Last: 11.12.2025 13:00 Sources 1

About this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...

Open Happening

Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia

Malware Activity
First: 18.10.2025 09:51 Last: 18.10.2025 09:51 Sources 1

About this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...

Open Happening

Timeline

  1. 31.10.2025 18:08 1 articles · 6mo ago

    Airstalk early samples are compiled and signed with a likely stolen certificate

    Technical Analysis Update

    Early Airstalk iterations were compiled on June 28, 2024, and some .NET samples were signed with a likely stolen certificate issued by Aoteng Industrial Automation (Langfang) Co., Ltd. The dated samples anchor the malware family's documented development history and suggest signed artifacts were part of the operator tradecraft.

    Show sources
    Open in new tab
  2. 31.10.2025 18:08 2 articles · 6mo ago

    Unit 42 links CL-STA-1009 to Airstalk covert AirWatch C2

    Initial Disclosure

    Palo Alto Networks Unit 42 disclosed that CL-STA-1009 is a suspected nation-state cluster distributing Airstalk in a likely supply chain attack that abuses the AirWatch API / Workspace ONE Unified Endpoint Management as a covert C2 channel. The analysis said the PowerShell and .NET variants can capture screenshots, harvest Google Chrome artifacts, and target Microsoft Edge and Island while mimicking AirwatchHelper.exe.

    Show sources
    Open in new tab