CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CL-UNK-1068 Targets Asian Critical Infrastructure with Web Server Exploits and Mimikatz

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented Chinese threat actor, CL-UNK-1068, has been targeting critical infrastructure in South, Southeast, and East Asia since at least 2020. The campaign, attributed to cyber espionage with moderate-to-high confidence, has affected sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. The attackers use a mix of custom malware, open-source utilities, and LOLBINs to maintain persistence and exfiltrate data. The group employs tools like Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP) to target both Windows and Linux environments. They exploit web servers to deliver web shells, move laterally, and steal sensitive files. The attackers also use Mimikatz and other tools to dump passwords and extract credentials.

Timeline

  1. 09.03.2026 09:21 1 articles · 3h ago

    CL-UNK-1068 Exploits Web Servers and Uses Mimikatz in Asian Cyber Espionage Campaign

    Since at least 2020, CL-UNK-1068 has been targeting critical infrastructure in South, Southeast, and East Asia. The group uses a mix of custom malware, open-source utilities, and LOLBINs to maintain persistence and exfiltrate data. They exploit web servers to deliver web shells, move laterally, and steal sensitive files. The attackers also use Mimikatz and other tools to dump passwords and extract credentials, indicating a strong focus on cyber espionage.

    Show sources
    Open in new tab

Information Snippets