A suspected nation-state threat actor is behind the distribution of a new malware named Airstalk, deployed in what researchers believe is a supply chain attack. The cybersecurity firm Palo Alto Networks Unit 42 is tracking the activity cluster under the designation CL-STA-1009. The “STA” in the name indicates a state-backed motivation behind the campaign.

The malware, appearing in both PowerShell and .NET variants, is designed to establish a covert communications channel by abusing a legitimate enterprise tool. Researchers have confirmed that Airstalk targets mobile device management (MDM) systems to carry out its objectives.

Airstalk’s C2 Mechanism and Variants

According to an analysis by security researchers Kristopher Russo and Chema Garcia, Airstalk’s core functionality involves the misuse of the AirWatch API for MDM, which is now part of VMware’s Workspace ONE Unified Endpoint Management platform. The malware leverages the API to establish a covert command-and-control (C2) channel with its operators. Specifically, it uses the AirWatch feature designed to manage custom device attributes and file uploads to communicate and receive commands. This technique allows the malware to blend its malicious traffic with legitimate MDM activity, making it harder to detect.

Data Exfiltration Capabilities

Once deployed on a compromised system, Airstalk is equipped with significant data harvesting capabilities. The malware utilizes a multi-threaded command-and-control communication protocol to efficiently manage its operations. Its primary functions include capturing screenshots of the user’s desktop and exfiltrating sensitive information directly from web browsers. The harvested data includes browser cookies, browsing history, saved bookmarks, and additional screenshots, providing the attackers with a comprehensive view of the victim’s online activities and potentially enabling further compromises or credential theft. This focus on browser data highlights the threat actor’s objective of gathering detailed intelligence from its targets.

Source: https://thehackernews.com/2025/10/nation-state-hackers-deploy-new.html