An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

    Monday, March 9, 2026 In: Threat Research Print

    Date: 03/09/2026

    Severity: High

    Summary

    Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast, and East Asia. The attacks focus on critical sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. This ongoing and previously undocumented activity is being tracked as CL-UNK-1068. The term “UNK” is used for clusters whose affiliation with either nation-state or cybercrime groups has not yet been determined. We assess with high confidence that the actors behind CL-UNK-1068 are a Chinese threat actor, based on tool origins, linguistic artifacts in configuration files, and consistent targeting of Asian critical infrastructure. We further assess with moderate-to-high confidence that the primary objective is cyber espionage, though a cybercriminal motive cannot be fully ruled out.

    Indicators of Compromise (IOC) List

    IP Address : 

    13.250.108.65

    43.255.189.67

    52.77.253.4

    79.141.169.123

    107.148.33.60

    107.148.51.251

    107.148.130.22

    Hash : 

    524734501be19e9ed1bfab304b0622a2263a4f9e3db0971f3fae93f7e7369c20

    26483f0886078cc9f5f9912d3ffce1301e297b435920ab1c86c9107bbdce4db2

    99bd09e1c500866b2b809fd9170f1b8b7e120da21a1f2eed6165fcf81bf519b7

    8a3345f0d8f1a7d78ea485ae11358cf2ae3d51cb7975524d6d67ba05a08a37ea

    6ddbfd3a96834087501f0c9415a925cafdb92cb8ff34685f138833b4795416d6

    3b2b6a3ee023dfa168f257b292a28f5fbdbacb5aa2250e1efb36e650529db1b5

    cfdcbc553bc7464aedfb6758b0a38acc78d9537eabe9717e60ab0d8d3b355225

    d8378cf105146217e6ded438187c4ea0edcadb6cf27f5eeddda3fd80cce76d72

    5c986203242e2ed25458b0606ee7be57070f6d66b7472b453d92b1b6786443bd

    cfcbb3014ecc560ba36103213b36fc62d6b0ef22c49067ff0d860fd7253a7c94

    fb9400d763a009b3bd2b9468410e0c69ee8a4f58400e532f086cef749422210d

    c880936ba0ca153719c2cca33c1925a9480d28abc88cf4daa02f34cc8cc1c9e5

    d6ed94589b0e6a7c3e1a6052e18f3962ca78c385c78036972d5ea72c07a5772c

    3e698c85660e2c012b3db7f47ca3f2b1af2b6b0e0a0d2bdb7903f91cf9d31732

    0d03934eb181c2befbc5341208c4eb8f939e00382ac632216397b8210225c937

    8d3907d56b1dd1609053cb55dd66f33499e1ea091133df76d8fe6f08f25f37b2

    082a55731f972cd15e103104229a68175a8c59a52bae05daa8ed4302df7c2dec

    e1ff808321ce952384b7fff720584c48ec0fd36480d6bc9ac0d5db036102c368

    cdb90179188a142d24147edcb72be8b574fac4f6833fff15a6ee803754dec0c0

    f6ac9e5e76bc9daf4772c5be43c9eac1d2611caafd49fac70bbb8eebfa4781ac

    96f52e4666aa8df67f8d7d00a523cd25e11402108157156775603b3d9514925c

    e9541e8afa502e13c18734756270b10e3c07f1071283387e63c8f8b0ba591343

    f7c73b1ac9aff545b184ec7121f2bc706c5064dc3c17f59e9a39469031bf2ef6

    b87cee18720c176c1972cf5c74e3c09877177e0c49c34a04b910bb3c70839b71

    f710dc61c2edc85841fd733a17b7977dfb889d6476c59bb3c54a5b2fd393ac13

    edc0287da3c6bb62a7b2fd3949be5688628fc0e893b5822bd5734a63c39f7ab1

    0c7db12ec29f333bf5f53dc5c73ec446b2265fca3aad5144c3569409e15123cb

    8af434c2af2d901694cb27ec8639e7054f84938110a5cc4492c1bac597026d50

    ce20c033dcadf17d9cca325869f946efdd82ab0756fa56e262b6f573252d457c

    52c817465a56ccd0fb4e914a3274a9e9a93e872583e6239bc6461e4f3e40c567

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("13.250.108.65","43.255.189.67","52.77.253.4","79.141.169.123","107.148.33.60","107.148.51.251","107.148.130.22") or srcipaddress IN ("13.250.108.65","43.255.189.67","52.77.253.4","79.141.169.123","107.148.33.60","107.148.51.251","107.148.130.22")

    Detection Query 2 :

    sha256hash IN ("0d03934eb181c2befbc5341208c4eb8f939e00382ac632216397b8210225c937","d6ed94589b0e6a7c3e1a6052e18f3962ca78c385c78036972d5ea72c07a5772c","cdb90179188a142d24147edcb72be8b574fac4f6833fff15a6ee803754dec0c0","e9541e8afa502e13c18734756270b10e3c07f1071283387e63c8f8b0ba591343","f7c73b1ac9aff545b184ec7121f2bc706c5064dc3c17f59e9a39469031bf2ef6","f710dc61c2edc85841fd733a17b7977dfb889d6476c59bb3c54a5b2fd393ac13","6ddbfd3a96834087501f0c9415a925cafdb92cb8ff34685f138833b4795416d6","3b2b6a3ee023dfa168f257b292a28f5fbdbacb5aa2250e1efb36e650529db1b5","3e698c85660e2c012b3db7f47ca3f2b1af2b6b0e0a0d2bdb7903f91cf9d31732","8d3907d56b1dd1609053cb55dd66f33499e1ea091133df76d8fe6f08f25f37b2","f6ac9e5e76bc9daf4772c5be43c9eac1d2611caafd49fac70bbb8eebfa4781ac","cfdcbc553bc7464aedfb6758b0a38acc78d9537eabe9717e60ab0d8d3b355225","c880936ba0ca153719c2cca33c1925a9480d28abc88cf4daa02f34cc8cc1c9e5","96f52e4666aa8df67f8d7d00a523cd25e11402108157156775603b3d9514925c","cfcbb3014ecc560ba36103213b36fc62d6b0ef22c49067ff0d860fd7253a7c94","8a3345f0d8f1a7d78ea485ae11358cf2ae3d51cb7975524d6d67ba05a08a37ea","524734501be19e9ed1bfab304b0622a2263a4f9e3db0971f3fae93f7e7369c20","26483f0886078cc9f5f9912d3ffce1301e297b435920ab1c86c9107bbdce4db2","99bd09e1c500866b2b809fd9170f1b8b7e120da21a1f2eed6165fcf81bf519b7","d8378cf105146217e6ded438187c4ea0edcadb6cf27f5eeddda3fd80cce76d72","5c986203242e2ed25458b0606ee7be57070f6d66b7472b453d92b1b6786443bd","fb9400d763a009b3bd2b9468410e0c69ee8a4f58400e532f086cef749422210d","082a55731f972cd15e103104229a68175a8c59a52bae05daa8ed4302df7c2dec","e1ff808321ce952384b7fff720584c48ec0fd36480d6bc9ac0d5db036102c368","b87cee18720c176c1972cf5c74e3c09877177e0c49c34a04b910bb3c70839b71","edc0287da3c6bb62a7b2fd3949be5688628fc0e893b5822bd5734a63c39f7ab1","0c7db12ec29f333bf5f53dc5c73ec446b2265fca3aad5144c3569409e15123cb","8af434c2af2d901694cb27ec8639e7054f84938110a5cc4492c1bac597026d50","ce20c033dcadf17d9cca325869f946efdd82ab0756fa56e262b6f573252d457c","52c817465a56ccd0fb4e914a3274a9e9a93e872583e6239bc6461e4f3e40c567")

    Reference:

    https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/


    Tags

    Threat ActorSoutheast AsiaAsiaEnergyCommunicationsHealthcare and Public HealthInformation TechnologyCritical InfrastructureCyber Espionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.