CL-UNK-1068 years-long espionage campaign targeting Asian organizations
Campaign
Summary
Hide ▲
Show ▼
A Chinese threat actor is linked to a years-long espionage campaign against high-value organizations in South, Southeast, and East Asia, creating persistent risk for critical sectors. The operation, tracked as CL-UNK-1068, has hit aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications organizations. Attackers used web-server exploitation, web shells, lateral movement, and credential theft to maintain access and steal sensitive files. The activity includes data exfiltration and is assessed as primarily driven by cyber espionage.
Related Happenings
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementAbout this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
OP-512 Microsoft IIS espionage campaign
Campaign
H score52
First: 05.06.2026 15:33
Last: 05.06.2026 15:33
Sources 1
About this happening:
**OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
OP-512 Microsoft IIS espionage campaign
CampaignAbout this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
H score56
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
CampaignAbout this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Interpol Operation Ramz cybercrime crackdown in MENA
Law Enforcement
H score33
First: 18.05.2026 17:00
Last: 18.05.2026 17:00
Sources 1
About this happening:
**INTERPOL**-led **Operation Ramz** disrupted **Sniper Dz**, a decade-long **phishing-as-a-service (PhaaS)** platform, during **October 2025-February 2026**. Authorities in **13 M...
Interpol Operation Ramz cybercrime crackdown in MENA
Law EnforcementAbout this happening: **INTERPOL**-led **Operation Ramz** disrupted **Sniper Dz**, a decade-long **phishing-as-a-service (PhaaS)** platform, during **October 2025-February 2026**. Authorities in **13 M...
Timeline
-
09.03.2026 09:21 2 articles · 4mo ago
CL-UNK-1068 campaign disclosed by Palo Alto Networks Unit 42
Initial DisclosurePalo Alto Networks Unit 42 attributes a years-long campaign to a previously undocumented threat activity group called CL-UNK-1068, saying a Chinese threat actor targeted high-value organizations in South, Southeast, and East Asia across aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors. The activity uses web-server exploitation, web shells, lateral movement, DLL side-loading through python.exe and pythonw.exe, FRP, Xnote, Godzilla, ANTSWORD, WinRAR, certutil -encode, and credential theft tools such as Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool, with Unit 42 assessing cyber espionage as the primary objective.
Show sources
- Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure — thehackernews.com — 09.03.2026 09:21
- Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure — thehackernews.com — 09.03.2026 09:21