CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Airstalk Malware Linked to Supply Chain Attack

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new malware called Airstalk has been identified in a suspected supply chain attack. The malware exploits the AirWatch API for mobile device management (MDM) to establish a covert command-and-control (C2) channel. It is distributed by a nation-state threat actor tracked as CL-STA-1009. Airstalk can capture screenshots, harvest browser data, and exfiltrate files. The malware is available in PowerShell and .NET variants, with the latter being more advanced. The attack may target the business process outsourcing (BPO) sector. Airstalk uses a multi-threaded C2 communication protocol and supports various actions, including taking screenshots, harvesting browser data, and uninstalling itself. The .NET variant targets additional browsers and includes more sophisticated features. The malware's distribution method and specific targets remain unknown, but the use of MDM-related APIs suggests a supply chain attack.

Timeline

  1. 31.10.2025 18:08 1 articles · 10d ago

    Airstalk Malware Identified in Suspected Supply Chain Attack

    A new malware called Airstalk has been identified in a suspected supply chain attack. The malware exploits the AirWatch API for mobile device management (MDM) to establish a covert command-and-control (C2) channel. It is distributed by a nation-state threat actor tracked as CL-STA-1009. Airstalk can capture screenshots, harvest browser data, and exfiltrate files. The malware is available in PowerShell and .NET variants, with the latter being more advanced. The attack may target the business process outsourcing (BPO) sector. Airstalk uses a multi-threaded C2 communication protocol and supports various actions, including taking screenshots, harvesting browser data, and uninstalling itself. The .NET variant targets additional browsers and includes more sophisticated features. The malware's distribution method and specific targets remain unknown, but the use of MDM-related APIs suggests a supply chain attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab