← All Threat Actors
Threat Actor Profile

CL-STA-1009

No known aliases in database
▲ High Threat
Airstalk Supply Chain Campaign
Origin China
Sponsor Chinese Government
Motivation Cyber Espionage

Target Sectors

Business Process Outsourcing (BPO) entities Managed Service Providers (MSPs) Critical Vendors Downstream Corporate Clients

Known TTPs

Supply Chain Compromise
Abuse of AirWatch/Workspace ONE Unified Endpoint Management API for covert C2
Data exfiltration via MDM blob storage (/api/mam/blobs/uploadblob)
Browser data theft (Cookies, History, Bookmarks) from Chrome, Edge, and Island Browser
Screen capture for intelligence gathering
Use of stolen digital certificates for binary signing
PE timestamp manipulation for defense evasion
Multi-threaded C2 communication protocol
Persistence via scheduled tasks

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD