A newly discovered malware named Airstalk has sent ripples through the cybersecurity community after researchers linked it to a suspected state-backed threat group. Leveraging enterprise management tools in unexpected ways, the malware’s stealth, scale, and sophistication expose the growing fragility of third-party ecosystems — particularly those that underpin the global outsourcing industry.
A New Actor in the Cyber Shadows
A suspected nation-state threat actor has been connected to Airstalk, a newly identified malware campaign that experts say represents a striking evolution in supply chain espionage. According to Palo Alto Networks’ Unit 42, which is tracking the threat cluster under the moniker CL-STA-1009, the malware appears designed to exploit enterprise software environments rather than directly attack individual systems.
What distinguishes Airstalk is its misuse of AirWatch, now known as VMware’s Workspace ONE Unified Endpoint Management (UEM) — a legitimate tool used by corporations to monitor and manage mobile devices. By repurposing its APIs, attackers have turned a standard management feature into a covert command-and-control (C2) channel capable of stealing sensitive data while evading detection.
Security researchers Kristopher Russo and Chema Garcia of Unit 42 noted that Airstalk -“uses the API to establish a covert C2 channel primarily through the AirWatch feature to manage custom device attributes and file uploads,”- allowing the attackers to operate within trusted corporate networks with alarming ease.
Anatomy of the Malware: Two Faces of Airstalk
Unit 42’s investigation reveals that Airstalk exists in two main variants — one written in PowerShell, the other in .NET. Each version communicates with its C2 server through multi-threaded protocols and can capture screenshots, harvest browser cookies, bookmarks, and history, and even exfiltrate files from enterprise browsers such as Google Chrome, Microsoft Edge, and Island, a workplace-focused browser increasingly adopted by BPOs and IT service firms.
The PowerShell version relies on the “/api/mdm/devices/” endpoint within AirWatch’s framework, effectively disguising its traffic as routine management queries. The .NET variant, however, is more advanced — featuring expanded functions, stronger persistence mechanisms, and commands that mimic legitimate enterprise tools, including “AirwatchHelper.exe.”
The malware’s arsenal includes commands like Screenshot (to capture displays), UpdateChrome (to exfiltrate browser profiles), EnterpriseChromeProfiles (to fetch Chrome user data), and UploadFile (to send stolen credentials). Other tasks — such as OpenURL and Uninstall — allow attackers to execute commands remotely and erase their presence afterward.
Inside the Operation: Persistence and Precision
Once activated, Airstalk establishes contact with its remote operator by sending a “CONNECT” message, waiting for confirmation, and then receiving a set of “ACTIONS” from its C2 server. The malware performs the instructions — whether taking screenshots, fetching cookies, or mapping directories — before responding with a “RESULT” message.
Researchers found that the malware is digitally signed using a likely stolen certificate from Aoteng Industrial Automation (Langfang) Co., Ltd., lending an air of legitimacy that helps it slip past many endpoint detection systems. The earliest compiled versions date to June 2024, suggesting a long-running and well-funded operation.
Interestingly, while the PowerShell variant schedules tasks to maintain persistence, its .NET counterpart operates more discreetly — possibly relying on lateral movement through enterprise APIs or third-party systems to remain active.
BPOs in the Crosshairs: The Next Supply Chain Weak Link
Analysts warn that Airstalk’s targeting of enterprise browsers and reliance on vendor environments indicate a broader supply chain strategy. Business Process Outsourcing (BPO) companies — which handle client data across industries — may represent an especially lucrative entry point.
“The evasion techniques employed by this malware allow it to remain undetected in most environments,” researchers said. “This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients.”
Unit 42’s report underscores a troubling trend: attackers are investing heavily in infiltrating service providers rather than end clients. By compromising one vendor, they can quietly observe — and potentially exploit — dozens of interconnected systems.
As Russo put it, “Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely.”
In the age of interconnected enterprise ecosystems, Airstalk may signal a deeper vulnerability in how corporations outsource trust — and how unseen actors can now weaponize that trust from within
