Chinese-Linked CL-UNK-1068 Espionage Campaign Targets Critical Infrastructure Across Asia

A Chinese-linked cyber-espionage group tracked as CL-UNK-1068 has been conducting stealthy attacks on critical infrastructure across South, Southeast, and East Asia since at least 2020.

According to security researchers at Unit 42 (Palo Alto Networks), the campaign targets organizations in aviation, energy, government, law enforcement, technology, and telecommunications sectors.

Experts believe the group’s main goal is espionage, collecting sensitive data from strategic targets, though some cybercriminal motives cannot be ruled out.

Sponsored

class="wp-block-heading" id="threat-analysis-and-attack-techniques">Threat Analysis and Attack Techniques

CL-UNK-1068 uses a mixture of custom malware, open-source tools, and living-off-the-land binaries (LOLBINs) to infiltrate both Windows and Linux systems.

The attackers typically gain initial access through web shells such as GodZilla and AntSword, which are popular among Chinese threat actors for remote administration.

Once inside, they use a DLL side-loading technique by abusing legitimate Python executables (e.g., python.exe) to stealthily load malicious payloads (python20.dll) into system memory. This allows the execution of the malware without triggering traditional antivirus detections.

For lateral movement, CL-UNK-1068 deploys a custom Go-based scanner called ScanPortPlus to identify networked devices and open vulnerabilities.

To maintain long-term persistence, the group relies on a modified Fast Reverse Proxy (FRP) tool containing Chinese-language identifiers and a distinct authentication token named frpforzhangwei.

On Linux servers, the attackers deploy the Xnote backdoor, which supports Distributed Denial-of-Service (DDoS) operations using command-and-control (C2) communications over UDP and SYN protocols.

The group also focuses heavily on credential theft and data exfiltration. They compress configuration files with WinRAR, encode them using Base64, and print the text directly to the terminal, avoiding direct file transfers that could raise red flags.

Researchers have also observed the use of tools like Mimikatz, DumpIt, and LsaRecorder to extract credential data directly from memory.

Threat actors have been observed using a combination of offensive tools for intrusion and persistence.

Web shells GodZilla and AntSword are typically deployed to gain initial access and enable lateral movement across compromised servers.

In some cases, python.exe is exploited through DLL side-loading, using a malicious python20.dll to execute harmful shellcode directly in memory.

Organizations should also:

• Block unapproved proxies and tunneling tools.
• Deploy advanced endpoint protection solutions like Cortex XDR to detect unusual process behavior.
• Apply updated Threat Prevention signatures on Next-Generation Firewalls (94655, 91671, 91662).
• Identify and secure exposed internet-facing assets using tools like Cortex Xpanse.

This ongoing espionage activity underscores the growing sophistication of China-linked cyber operations targeting Asia’s vital infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Chinese-Linked CL-UNK-1068 Espionage Campaign Targets Critical Infrastructure Across Asia appeared first on Cyber Security News.