Airstalk Malware

A newly observed malware family, attributed to a suspected nation-state cluster (designated as CL-STA-1009), is being distributed in a manner consistent with a supply-chain intrusion. The implant, named Airstalk, leverages enterprise mobile device management (MDM) infrastructure to conceal Command-and-Control (C2) traffic and exfiltrate browser artifacts and other sensitive data from compromised hosts.

How The Threat Hides In Plain Sight

Airstalk repurposes the AirWatch API (now Workspace ONE Unified Endpoint Management) as its covert C2 channel. Instead of using the API for legitimate device management, the malware utilizes custom device attributes and file-upload (blob) features to exchange messages with its operators, effectively turning an MDM endpoint into a dead-drop resolver for attacker communications and large data uploads.

Two Implementations: PowerShell vs. .NET

Two distinct builds have been observed: a PowerShell backdoor and a more feature‑rich .NET variant. Both implement a multi-threaded C2 protocol and support data theft operations, such as capturing screenshots and harvesting cookies, browsing history, and bookmarks. Evidence suggests that some artifacts were signed with a certificate that researchers regard as likely to be stolen.

PowerShell Variant: C2 behavior And Capabilities

The PowerShell implant communicates via the /api/mdm/devices/ endpoint. Upon startup, it establishes contact with a simple CONNECT/CONNECTED handshake, receives tasks packaged as 'ACTIONS' messages, executes them, and returns results using 'RESULT' messages. When a task produces large output, Airstalk uploads the data using the MDM API's blob feature.

Observed ACTIONS supported by the PowerShell backdoor include:

• Take a screenshot.
• Retrieve cookies from Google Chrome.
• List all user Chrome profiles.
• Obtain bookmarks for a specified Chrome profile.
• Collect the browsing history for a specified Chrome profile.
• Enumerate all files under the user directory.
• Uninstall itself.

The .NET Variant: Enhanced Targets And Capabilities

The .NET build expands the scope and sophistication. It targets additional enterprise browsers (Microsoft Edge and Island), attempts to masquerade as an AirWatch helper executable (AirwatchHelper.exe), and adds three extra message types used for version mismatch notifications, debugging output, and beaconing.

Key differences and additional behaviors of the .NET variant:

Uses three dedicated execution threads to handle C2 tasks, exfiltrate debug logs, and perform periodic beacons to C2.

Supports a broader command set for targeted exfiltration and remote control, including commands to dump specific browser profiles, upload files, open URLs, list directory contents, and more.

Some .NET samples are signed with a certificate attributed to 'Aoteng Industrial Automation (Langfang) Co., Ltd)' that analysts believe was likely stolen; early samples carry a compilation timestamp of June 28, 2024.

Unlike the PowerShell version, the .NET variant samples analyzed do not consistently create a scheduled task for persistence.

Expanded command set observed in the .NET samples includes:

• Screenshot
• UpdateChrome (exfiltrate a specific Chrome profile)
• FileMap (list contents of a directory)
• RunUtility (not yet implemented in observed samples)
• EnterpriseChromeProfiles (enumerate Chrome profiles)
• UploadFile (exfiltrate files/artifacts and credentials)
• OpenURL (launch a URL in Chrome)
• Uninstall
• EnterpriseChromeBookmarks (retrieve bookmarks from a Chrome profile)
• EnterpriseIslandProfiles (enumerate Island browser profiles)
• UpdateIsland (exfiltrate a specific Island profile)
• ExfilAlreadyOpenChrome (dump cookies from the current Chrome profile)

Distribution And Impact

Attribution of who was targeted and the exact distribution method remains unclear. However, the use of MDM APIs as C2 and the explicit focus on enterprise browsers, particularly Island, which is aimed at corporate deployments, strongly point to a supply‑chain or third‑party vendor compromise targeting business process outsourcing (BPO) firms. BPO providers are attractive targets because stolen browser session cookies and profile artifacts can grant attackers access to numerous downstream client environments; persistent access through a vendor's infrastructure amplifies impact.

Conclusion

Airstalk demonstrates a concerning trend: attackers abusing trusted management platforms to blend malicious traffic with legitimate administrative telemetry. For organizations that rely on third‑party vendors or BPO services, this technique materially increases the risk that a single compromise will cascade across many client environments. Vigilance around MDM activity, certificate provenance, and the integrity of vendor toolchains is essential to detect and limit this class of threat.