Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

    Thursday, October 30, 2025 In: Threat Research Print

    Date: 10/30/2025

    Severity: High

    Summary

    We have identified a new Windows-based malware family, dubbed Airstalk, which exists in both PowerShell and .NET variants. Our assessment, with medium confidence, suggests that a nation-state threat actor may have deployed this malware as part of a probable supply chain attack. To monitor and analyze related activity, we have established the threat activity cluster CL-STA-1009. Airstalk exploits the AirWatch API—now known as Workspace ONE Unified Endpoint Management (UEM)—to create a covert command-and-control (C2) channel. It leverages the API’s features for managing custom device attributes and file uploads to facilitate its communication and persistence mechanisms.

    Indicators of Compromise (IOC) List

    Hash : 

    0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde

    1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5

    dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533

    b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b

    4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5

    3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5

    6246f09c4fc680684ccca2536388dfd62c6c99ae

    38f2e93f027c88436deb392f3f2abe75

    29afb8d913db84fdb362f4fd927b8553

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    md5hash IN ("38f2e93f027c88436deb392f3f2abe75","29afb8d913db84fdb362f4fd927b8553")

    Detection Query  2:

    sha1hash IN ("6246f09c4fc680684ccca2536388dfd62c6c99ae")

    Detection Query  3:

    sha256hash IN ("dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533","b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b","1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5","0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde","4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5","3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5")

    Reference:

    https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/


    Tags

    MalwareThreat ActorAirstalkNation-StateCL-STA-1009AirWatchExploitWorkspace ONE Unified Endpoint Management (UEM)

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.