【CyCraft Monthly Intelligence】CL-UNK-1068: Persistent Cyber Espionage Targeting Asian Critical Infrastructure

‍

Threat and Impact

Since 2020, CL-UNK-1068 has consistently targeted high-value organizations across South, Southeast, and East Asia. According to reports from Unit 42, their operations span across multiple critical sectors, including aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications. Although the group has not yet been attributed to a specifically numbered threat actor, current intelligence indicates that the operators are native Chinese speakers. We assess with medium-to-high confidence that their primary motivation is cyber-espionage.

‍

Analyst Perspective

The threat posed by CL-UNK-1068 is significant for several reasons:

1. Persistence: This is not a series of isolated intrusions, but a multi-year, sustained operation targeting strategically important industries.
2. Cross-Platform Versatility: The attackers have demonstrated the ability to operate fluidly in both Windows and Linux environments.
3. Advanced Toolset: By blending custom malware, modified open-source tools, Web Shells, and using legitimate system tools, attackers are able to remain undetected and maintain persistent access to target environments.

‍

Incident Description

The primary objective of this campaign is to gain a comprehensive map of victim environments and maintain long-term access to sensitive systems. After gaining an initial foothold, the attackers exfiltrate web application configuration files, credentials, browser data, sensitive spreadsheets/CSV files, SQL-related information, and MSSQL backup files. Such data breaches can expose internal infrastructure details, privileged access pathways, commercially sensitive records, and critical information protected by regulatory frameworks.

The breadth of the targeted sectors suggests broader strategic implications: Compromises of government and law enforcement sectors could leak internal communications, operational data, or investigative intelligence. Then infiltration of energy, aviation and telecom departments grants attackers deep intelligence on critical infrastructure, OT dependencies, and regional communication networks. The theft of proprietary technology or research data in pharmaceutical and technology organizations results in intellectual property loss and severely undermines long-term competitive advantages.

A successful breach also increases the risk of subsequent compromises. Security researchers have observed attackers harvesting credentials, exfiltrating passwords, and extracting stored access information from system administration and database tools. This means a single intrusion can facilitate lateral movement into other servers, database systems, and remote management pathways. While the current impact is primarily data theft, the leakage and secondary exploitation of stolen credentials creates a long-term exposure crisis that is difficult to remediate.

Furthermore, CL-UNK-1068 raises concerns regarding systemic resilience and hidden attack surfaces. While intelligence gathering appears to be the primary goal, some tools used—such as the Xnote Linux backdoor—possess capabilities for tunneling, reverse Shells, port forwarding, and even DDoS attacks. Should the attackers choose to pivot their objectives, the potential for operational disruption would far exceed the current scope.

To conclude, the sustained targeting, stealthy tactics, and data-leaking capabilities of CL-UNK-1068 represent a significant threat to national security, public utilities, and enterprise risk management.

‍

Technical Details

The technical distinction of CL-UNK-1068 lies not in the use of a single custom malware family, but in its disciplined orchestration of Web Shells, DLL side-loading, tunneling tools, credential harvesters, and "Living off the Land" (LotL) techniques across both Windows and Linux environments. The intrusions typically originate from repeated compromises of Internet-facing systems—specifically web infrastructure—followed by low-profile internal expansion. After establishing an initial foothold via Web Shells, the actors leverage trusted system executables, in-memory payload execution, custom reconnaissance scripts, credential dumping, and reverse proxies to deepen access, move laterally, and stealthily exfiltrate sensitive data.

Initial Access

Initial access is primarily achieved by deploying Web Shells on Internet-facing servers. Attackers utilize variants of GodZilla and AntSword to establish a foothold; these Web Shells provide remote code execution (RCE) capabilities that serve as the foundation for subsequent intrusion phases. While intelligence does not fully detail every vulnerability path used for deployment, these compromises are linked to the exposure of web infrastructure. In some instances, custom Python executables are observed attempting to exploit CVE-2023-34048 (a VMware vCenter Server vulnerability).

Execution

Execution is highly flexible, utilizing both malware and legitimate system tools—most notably DLL side-loading via legitimate Python executables. Attackers place a legitimate python.exe or pythonw.exe in the same directory as a malicious DLL named python20.dll and a shellcode file (named to mimic a Python executable for obfuscation). When the trusted Python executable is launched, it side-loads the malicious DLL, which then performs the following:

1. Read the obfuscated Shellcode from the disk.
2. Deobfuscate the code in memory.
3. Execute the Shellcode within the legitimate Python process.
4. Fully decrypt and launch the final payload in memory.

This chain allows the attacker to hide tool execution within legitimate processes and significantly reduces the digital footprint left on the disk. Payloads launched via this method include:

• Tunneling and persistent access: FRP
• Privilege escalation: PrintSpoofer
• Internal scanning: ScanPortPlus

Beyond the side-loading chain, the attackers directly execute tools such as:

• SuperDump
• Batch scripts: hp.bat, hpp.bat, a.bat
• Credential Theft: Mimikatz, LsaRecorder, DumpIt, Volatility, ssms.exe
• Privilege escalation: PrintProgram, srunas.exe, Sliver, PwnKit
• Linux systems: Xnote
• Database interaction: usql

Persistence

This campaign employs several persistence mechanisms. First, deployed Web Shells provide persistent access to compromised web servers, allowing attackers to return and execute commands at will. Then, custom FRP variants are used on both Windows and Linux to establish long-term reverse tunnels that bypass firewall restrictions. These samples contain unique embedded identifiers:

• Auth key: frpforzhangwei
• Proxy names: 10014-win-nic-32-v, 20012-linux-64-V, 10013-linux-64-V
• Shared password: f*ckroot123

Even when direct access is restricted, these tunnels offer attackers a flexible means of entry.

Thirdly, on Linux, Xnote backdoor provides reverse Shell, file interaction, port forwarding, and tunneling capabilities, serving as both a backdoor and a persistence mechanism.

Lastly, in some cases, the custom PrintProgram tool is used to write Web Shells with elevated privileges, reinforcing the attacker's foothold and persistence.

Privilege Escalation

After gaining initial access, attackers utilize multiple escalation paths. On Windows, they use PrintSpoofer and its custom .NET variant, PrintProgram. Uniquely, PrintProgram is used both for escalation and for writing Web Shells under higher privilege contexts. They also use srunas.exe, a custom tool that duplicates access tokens from other processes to execute programs with higher authority.

Another observed tool is the Sliver implant, used as a privilege escalation Shell. It attempts to locate privileged processes like spoolsv.exe or lsass.exe and uses Parent ID spoofing to spawn cmd.exe as a child of these processes.

On Linux, they deploy PwnKit to exploit CVE-2021-4034 for local privilege escalation.

Defense Evasion

Defense evasion is central to the CL-UNK-1068 tradecraft. The most prominent example is the Python DLL side-loading chain, which abuses trusted executables to launch malicious code. By decrypting and executing payloads entirely in memory, they minimize disk artifacts and blend into legitimate process activities. Attackers also use obfuscated shellcode and batch scripts to clear Windows Event Logs via wevtutil. Furthermore, custom Python executables used for exploiting CVE-2023-34048 are compiled with Nuitka, likely to frustrate reverse engineering efforts.

Credential Access

Attackers use Mimikatz to pull passwords from memory and deploy LsaRecorder (which hooks LsaApLogonUserEx2 callbacks) to capture login passwords in real-time as they occur. They also use DumpIt and Volatility to capture system memory and extract:

• NTLM password hashes (via windows.hashdump)
• LSA keys (via windows.registry.lsadump.Lsadump)
• Cached domain credentials (via windows.registry.cachedump.Cachedump).

In some cases, batch scripts can automate the aforementioned workflow.

Database credentials are also a target: the ssms.exe tool extracts stored connection info from sqlstudio.bin. Stolen configuration files like web.config and appsettings.json are harvested for connection strings and service credentials. Additionally, exported settings for RDP, VNC, and SSH are used to find stored credentials or pivot to systems where passwords might be reused.

Attackers also use scripts via Web Shells to access SAM and SYSTEM registry hives using reg save, supporting offline credential extraction.

Discovery

Upon establishing a foothold, attackers perform systematic, deep reconnaissance to map the local system, identify privileged users, and locate high-value data.

In the early phase, the custom .NET tool SuperDump collects extensive telemetry, including user info, IP addresses, running processes, installed software, and LSASS dumps. It specifically targets tools like Navicat, WinSCP, RDP, PuTTY, FileZilla, Xmanager, SSH info, PowerShell history and latest program records to reveal administrator habits or additional access paths.

Later, discovery shifts to batch scripts (via hp.bat, hpp.bat, and sometimes a.bat) that run native commands to enumerate the following information:

• Logged-in users and local accounts
• Members of the Administrators group
• Network configurations and DNS cache
• Active connections and running processes
• Installed software
• Disk and file system details
• IIS configurations, including websites, virtual directories, application pools, applications, and modules
• Successful logon events from Windows Security Logs
• Loaded user profiles and SIDs.

Attackers also export registry data associated with PuTTY, RDP, RealVNC, and TightVNC to identify previously accessed servers and, in some cases, recover stored credentials. This is a highly efficient method for mapping internal infrastructure based on the administrator's own connection history.

At the network level, attackers utilize ScanPortPlus, a custom scanning tool developed in Go (compiled for both Windows and Linux). This tool supports IP, port, and vulnerability scanning, enabling them to identify additional high-value targets and services following the initial breach.

The threat actors simultaneously exfiltrate website and application files. Harvesting web.config, .aspx, .asmx, .asax, .dll, and JSON files like appsettings.json from c:\inetpub\wwwroot expose application architectures, internal paths, hard-coded credentials, connection strings, and backend database relationships. This information assists attackers in determining which systems hosted sensitive services and where lateral movement would be most effective.

In summary, by employing a multi-layered combination of tool automation, scripted enumeration, registry mining, and active network scanning, the attackers establish a comprehensive view of the internal environment. This lays the groundwork for subsequent lateral movement, credential theft, and data exfiltration.

Lateral Movement

Following initial access, attackers move laterally to other hosts and SQL servers using:

• Credentials extracted from configuration files such as web.config and appsettings.json
• Host and network maps generated through SuperDump and batch script reconnaissance
• Remote access paths discovered within data related to RDP, PuTTY, RealVNC, and TightVNC
• Internal scanning conducted via ScanPortPlus
• Tunneling and proxying via FRP
• Linux reverse proxying and port forwarding through Xnote, specifically leveraging its 12CPortMapTask and 13CNewProxyTask functions.

A batch script is also used to weaken RDP security by disabling Network Level Authentication (NLA), possibly enabling lateral movements to other systems.

Collection

The attackers collect vast amounts of data related to espionage and future access. Their initial collection targets were typically website files located in c:\inetpub\wwwroot, including:

• web.config
• .aspx, .asmx, .asax, .dll
• .json, including appsettings.json.

These files were archived under names such as web.rar, web1.rar, and web2.rar.

Additionally, they collect:

• Browser history and bookmarks
• Sensitive .xlsx and .csv files from the desktop and user directories
• MSSQL .bak database backup files
• Host telemetry data and registry exports generated by reconnaissance scripts
• SQL-related data (potentially accessed via usql)
• Saved SSMS connection information retrieved from sqlstudio.bin

The batch script workflow also produced multiple .txt and .db outputs, which were then archived as host.rar using rar.bat or rr.bat.

Command and Control (C2)

This incident involved a variety of C2 mechanisms.

The most straightforward method utilizes Web Shells, which allows operators to issue remote commands and receive output directly from the compromised servers. To achieve more persistent and flexible control, the attackers deploy customized FRP executables to establish reverse proxy tunnels. These tunnels effectively bypass firewalls and extend C2 access deeper into the victim's network.

On Linux systems, Xnote provides further C2 capabilities, including:

• Reverse Shell (10CShellTask)
• Reverse Proxy/Tunneling (13CNewProxyTask)
• Port Forwarding (12CPortMapTask)

Together, these mechanisms enable the attackers to maintain interactive control over systems within isolated or restricted network environments.

Exfiltration

Instead of direct file transfers, attackers often use a three-step stealth exfiltration method:

1. Archive files using WinRAR.
2. Base64-encode the archive using certutil -encode.
3. Print the encoded content to the screen via the web shell using the type command.

This enables them to exfiltrate data through existing shell output streams, eliminating the need to upload files via independent transfer mechanisms. This low-friction approach is ideal for restricted environments where only shell access is available and likely aided in evading certain network-based detection mechanisms.

This technique is utilized to exfiltrate archived website files and the sqlstudio.bin file. Other exfiltrated data include browser-related information, spreadsheets, CSV files, MSSQL backups, and SQL data likely accessed directly via usql.

Impact

The Xnote Linux backdoor includes DDoS capabilities, supporting attack tasks such as CC, NTP, SYN flooding, and UDP flooding. While the report does not indicate that these features are actively used against the victim, the capabilities are present.

The attackers also performed log clearing using wevtutil, which hinders forensic visibility and incident response efforts. Additionally, they weaken RDP security by disabling NLA (Network Level Authentication), degrading the security posture of the affected systems. The use of PrintProgram to drop privilege-escalated Web Shells further compromises system integrity by strengthening the attackers' control.

From a technical perspective, this incident is driven by the compromise of exposed web infrastructure, followed by stealthy post-exploitation via Web Shells, Python DLL side-loading, credential theft, internal scanning, reverse tunneling, and low-noise exfiltration methods. The attackers' success stems from a chain of simple yet highly effective techniques: abusing trusted processes, in-memory payload execution, large-scale host discovery, credential harvesting, and the creative use of native tools to exfiltrate data without leaving a conspicuous transmission footprint.

‍

Mitigation

Defending against the threat of CL-UNK-1068 cannot rely on blocking a few indicators of compromise (IOCs) alone. The attack patterns revealed in this campaign represent a long-term, cross-platform methodology reliant on Web Shells, credential theft, DLL side-loading, tunneling, privilege escalation, and covert exfiltration. Because the attackers frequently leverage legitimate tools and common system utilities, organizations must prioritize hardening, attack surface reduction, and behavioral-based detection across both Windows and Linux environments.

1. Reduce Exposure of Internet-Facing Systems

The primary task is to shrink the attack surface of externally accessible services. Reports indicate that attackers likely abused public-facing web infrastructure and attempted to exploit vulnerabilities in VMware vCenter Server, including CVE-2023-34048.

• Patching: Immediately patch internet-facing applications, specifically:
  • VMware vCenter Server
  • IIS and ASP.NET Core-based web applications
  • Linux web servers
• Review vCenter, web management interfaces, and database-related services for unnecessary public exposure.
• Maintain a continuous inventory of external assets and enable alerts for any publicly accessible vCenter systems or critical management services.

Most directly impacted by the aforementioned measures include:

• VMware vCenter services
• IIS web servers
• ASP.NET Core and .NET applications, as well as web root directories (e.g., c:\inetpub\wwwroot)
• Linux-hosted web services

2. Proactively Hunt for Web Shells and Abused Web Content

Since attackers use GodZilla and AntSword variants as primary tools, defenders should inspect web servers for unauthorized files. Focus on:

• web.config
• .aspx, .asmx, .asax, .dll
• .json files (e.g., appsettings.json)

Security teams should verify file integrity, review recent modifications in web directories, and restrict write access to production web roots (e.g., c:\inetpub\wwwroot).

3. Detect Signature Behaviors Rather Than Sole Known Malware

Move beyond static indicators to detect these three critical behaviors:

• Abuse of legitimate python.exe or pythonw.exe to load unexpected side-car DLLs (specifically python20.dll).
• Deployment of unauthorized FRP tools or suspicious reverse proxies disguised as common services.
• Execution of custom batch scripts (hp.bat, hpp.bat) involving reconnaissance, archiving, and encoded output.

This means organizations should monitor for the following behaviors:

• Trusted executables loading unexpected sidecar DLLs, particularly python20.dll
• FRP or other suspicious reverse proxy executables masquerading as common services
• Command-line activity involving reconnaissance, archiving, and encoded output

The scope of this mitigation strategy encompasses:

• Endpoint Detection and Response (EDR) policies
• Application control settings
• Command-line logging
• Windows process creation monitoring
• Linux process and network telemetry

4. Harden Credential and Privileged Access Management

A critical phase of this incident involves credential theft. The attackers utilize Mimikatz, LsaRecorder, DumpIt, Volatility, and registry dumping via Web Shells, while also harvesting connection histories and saving credentials from tools such as PuTTY, WinSCP, RDP clients, VNC utilities, and SQL Server Management Studio (SSMS).

Organizations should implement the following response measures:

• Restrict administrative privileges by separating administrative accounts from daily-use accounts.
• Harden LSASS protection and monitor all access to the LSASS process.
• Enable alerting for the following behaviors:
  • reg save HKLM\SAM
  • reg save HKLM\SYSTEM
  • Execution of memory dumping tools.
  • Suspicious access to sqlstudio.bin.
• Audit locations where credentials are stored in cleartext or reversible formats.
• Rotate passwords and keys immediately if a compromise is suspected.
• Enforce MFA for all administrative access, remote access, and privileged management interfaces.

The scope of these measures will impact:

• Domain and local administrator workflows.
• SQL administration practices.
• Remote management tools.
• Service account management and credential storage policies.

5. Strengthen Remote Access Controls

Attackers are observed weakening RDP security by disabling Network Level Authentication (NLA) and collecting remote access data from RDP, PuTTY, RealVNC, and TightVNC. To mitigate this risk, organizations should:

• Enforce secure RDP configurations and prevent the disabling of NLA.
• Restrict RDP access to trusted management networks or allow access only via VPN.
• Audit the use of remote management tools and remove any unauthorized software.
• Monitor registry modifications that affect Terminal Services and remote access settings.
• Review stored connection history and credentials on administrator workstations.

The scope of these actions directly impacts:

• RDP configurations
• Remote desktop tools
• Jump boxes and bastion hosts
• Administrator endpoint settings.

6. Restrict Lateral Movement and Internal Discovery

Attackers conduct large-scale host and network discovery, scan internal systems, and move laterally to SQL servers and other hosts. Defenders mitigate the ease of lateral movement through the following measures:

• Implement network segmentation for web servers, application servers, SQL servers, and management systems.
• Restrict east-west traffic to the minimum scope strictly necessary for business operations.
• Monitor for anomalous internal scanning, port discovery, and vulnerability scanning behaviors.
• Limit administrative shares and remote execution paths where feasible.
• Audit trust relationships between web servers and backend databases.

The scope of these mitigation measures affects:

• Internal firewall policies
• Network segmentation design
• Inter-server communication rules
• SQL server access paths

7. Detect and Block Tunneling and Anomalous Egress

The use of FRP serves as a critical mechanism for persistence and firewall evasion in this attack. Organizations identify and block unauthorized tunneling and reverse proxy activity through the following measures:

• Monitor outbound connections initiated to rare or low-prevalence external hosts
• Detect FRP-like traffic and suspicious reverse proxies
• Block unapproved tunneling software on servers
• Review egress controls to ensure web and application servers cannot freely establish arbitrary outbound tunnels.

Linux systems require specific attention, as the report emphasizes the importance of detecting the following behaviors:

• Unconventional communication between Linux processes and rare external hosts
• Unconventional access attempts to sensitive files.

The scope of these mitigation measures includes:

• Egress firewall policies
• Proxy and egress filtering
• Linux network monitoring
• Server application whitelisting.

8. Mitigate Covert Exfiltration

The attackers employ a simple yet evasive exfiltration method: archiving files with WinRAR, encoding them using certutil -encode, and printing the Base64 output via a Web Shell using the type command. Organizations monitor and restrict these behavioral patterns, especially on servers where such operations are non-standard.

High-value detection items include:

• rar.exe or WinRAR archiving web files, text output, or database-related content.
• certutil -encode used on archives, backups, or credential-related files.
• Command shells printing large volumes of Base64 data.
• Access attempts to the following items:
  • web.config
  • appsettings.json
  • MSSQL .bak files
  • Browser history and bookmarks
  • XLSX and CSV data collections

This detection is particularly relevant to the following environments:

• IIS and application servers
• SQL servers
• Administrator workstations
• File servers containing sensitive business exports

9. Enhance Visibility and Forensic Readiness

Since the attackers utilize anti-forensic techniques, such as clearing logs with wevtutil, defenders must secure evidence rapidly and maintain robust telemetry collection capabilities. The following measures are recommended:

• Enable detailed process, command-line, and network logging
• Centralize the collection of forensic data from both Windows and Linux systems
• Enable alerting for log clearing and suspicious use of wevtutil
• Retain endpoint telemetry for a sufficient duration to support investigations into multi-stage intrusions
• Ensure incident responders can rapidly capture volatile evidence from potentially compromised hosts.

The scope of these measures affects:

• SIEM log retention settings
• Endpoint logging configurations
• Windows Event Log policies
• Linux auditing and shell history collection.

10. Multi-Layered Security Controls

The report indicates that an organization's defensive capabilities improve significantly when multiple security layers are implemented simultaneously. In practice, defenders should combine the following measures:

• URL and DNS protection to block known malicious destinations
• Network threat defense to detect exploitation and malware delivery activities
• Sandboxing or malware analysis for suspicious executables and loaders
• Endpoint detection and analysis for both Windows and Linux
• Attack surface management to identify exposed critical services

While these controls do not guarantee total immunity from intrusion, they substantially increase the chances of early detection, limit persistence, and reduce the risk of data loss.

Priorities for Impacted Sectors

For organizations in Aviation, Energy, Gov, Pharma, and Telecom, the immediate priorities are:

1. Patch and audit the exposure of public-facing web servers and VMware vCenter infrastructure.
2. Proactively hunt for web shells and suspicious files within IIS and Linux web directories.
3. Monitor Python DLL side-loading, FRP deployment, and the execution of reconnaissance batch scripts.
4. Protect credentials and investigate any signs of credential dumping, registry-based web shell theft, or SSMS credential extraction.
5. Enforce strict RDP and remote management configurations.
6. Isolate critical systems and inspect for anomalous east-west traffic.
7. Detect unusual archiving, encoding, and text-based exfiltration behaviors.
8. Harden behavioral monitoring for both Linux and Windows, focusing on rare outbound communications and sensitive file access.

In summary, the most effective mitigation strategy for this incident is a comprehensive combination of patching, attack surface reduction, credential protection, network segmentation, and behavior-based monitoring. This strategy is indispensable because the threat actor’s tactics are specifically designed to blend into normal system administration activities, allowing them to remain undetected for extended periods.

‍

Reference

• ‍An Investigation Into Years of Undetected Operations Targeting High-Value Sectors
• 東亞、南亞地區高價值產業被鎖定，中國駭客CL-UNK-1068從事網路間諜活動長達6年
• CVE-2023-34048 Detail
• CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia
• Chinese Threat Group CL-UNK-1068 Targets Critical Infrastructure Across Asia in Years-Long Campaign

‍