The Covert Operator's Playbook: Infiltration of Global Telecom Networks

    Date: 07/30/2025

    Severity: Medium

    Summary

    An emerging threat cluster, tracked as CL-STA-0969, has been targeting telecommunications infrastructure in Southwest Asia. The activity involves compromising interconnected mobile roaming networks, though no data exfiltration or device tracking was confirmed. The threat actors demonstrated strong operational security and used defense evasion tactics to maintain stealth. They deployed specialized tools, such as Cordscan, which indicates an interest in collecting victim location data. This activity is assessed with high confidence to be linked to a nation-state and closely aligns with operations attributed to the adversary known as Liminal Panda.

    Indicators of Compromise (IOC) List

    Hash

    bacbe2a793d8ddca0a195b67def527e66d280a13a8d4df90b507546b76e87d29
    
    1852473ca6a0b5d945e989fb65fa481452c108b718f0f6fd7e8202e9d183e707
    
    705a035e54ce328227341ff9d55de15f4e16d387829cba26dc948170dac1c70f
    
    44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879
    
    e3b06f860b8584d69a713127f7d3a4ee5f545ad72e41ec71f9e8692c3525efa0
    
    efa04c33b289e97a84ec6ab1f1b161f900ed3b4521a9a69fb6986bd9991ecfc6
    
    827f41fc1a6f8a4c8a8575b3e2349aeaba0dfc2c9390ef1cceeef1bb85c34161
    
    3c42194d6c18a480d9a7f3f7550f011c69ff276707e2bae5e6143f7943343f74
    
    b9f67565b56c9464462fa52d937202eef0b5554993c6b2bec8c955db64460cc7
    
    188861d7f0861103886543eff63a96c314c8262dbf52c6e0cf9372cf1e889d52
    
    4985de6574ff34009b6c72504af602a21c152ec104b022d6be94e2fec607eb43
    
    0bb3b4d8b72fec995c56a8a0baf55f2a07d2b361ee127c2b9deced24f67426fd
    
    aa661e149f0a6a9a61cadcca47a83893a9e6a5cdb41c3b075175da28e641a80f
    
    3191e1516f39d72191e6c89460f7273826e12d493577b75b6fdee036c85e5a7e
    
    9e1f5a134d13167a9148f2d5a1e6a96136d22ecdfbc502aa974544e7efe16a22
    
    edb6ab4bba4d474e60ff266af230cb6c438056937b262f86d3779bdc14de72a4
    
    b1e473dd70732ba34b7e985422bfd44f3883379569d89bee523f4263c7070fd9
    
    8e2dd7ed7c7bec7ff6ab69990c3172b1a9c2028f67b02f6f8c5429e968d2f8d2
    
    3e186c24bae58de14b14332a6b14d269b84235a25a892f1327002149f0547739
    
    432125ca41a2c5957013c8bff09c4037ad18addccab872d46230dd662a2b8123
    
    540f60702ee5019cd2b39b38b07e17da69bde1f9ed3b4543ff26e9da7ba6e0be
    
    cd754125657f1d52c08f9274fda57600e12929847eee3f7bea2e60ca5ba7711d
    
    b9c91face6ddfecc26d444f891c24796dbc953fb33145749f30b17445400c87c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 : 

    sha256hash IN ("efa04c33b289e97a84ec6ab1f1b161f900ed3b4521a9a69fb6986bd9991ecfc6","1852473ca6a0b5d945e989fb65fa481452c108b718f0f6fd7e8202e9d183e707","827f41fc1a6f8a4c8a8575b3e2349aeaba0dfc2c9390ef1cceeef1bb85c34161","3c42194d6c18a480d9a7f3f7550f011c69ff276707e2bae5e6143f7943343f74","432125ca41a2c5957013c8bff09c4037ad18addccab872d46230dd662a2b8123","aa661e149f0a6a9a61cadcca47a83893a9e6a5cdb41c3b075175da28e641a80f","bacbe2a793d8ddca0a195b67def527e66d280a13a8d4df90b507546b76e87d29","44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879","b9f67565b56c9464462fa52d937202eef0b5554993c6b2bec8c955db64460cc7","705a035e54ce328227341ff9d55de15f4e16d387829cba26dc948170dac1c70f","e3b06f860b8584d69a713127f7d3a4ee5f545ad72e41ec71f9e8692c3525efa0","188861d7f0861103886543eff63a96c314c8262dbf52c6e0cf9372cf1e889d52","4985de6574ff34009b6c72504af602a21c152ec104b022d6be94e2fec607eb43","0bb3b4d8b72fec995c56a8a0baf55f2a07d2b361ee127c2b9deced24f67426fd","3191e1516f39d72191e6c89460f7273826e12d493577b75b6fdee036c85e5a7e","9e1f5a134d13167a9148f2d5a1e6a96136d22ecdfbc502aa974544e7efe16a22","edb6ab4bba4d474e60ff266af230cb6c438056937b262f86d3779bdc14de72a4","b1e473dd70732ba34b7e985422bfd44f3883379569d89bee523f4263c7070fd9","8e2dd7ed7c7bec7ff6ab69990c3172b1a9c2028f67b02f6f8c5429e968d2f8d2","3e186c24bae58de14b14332a6b14d269b84235a25a892f1327002149f0547739","540f60702ee5019cd2b39b38b07e17da69bde1f9ed3b4543ff26e9da7ba6e0be","cd754125657f1d52c08f9274fda57600e12929847eee3f7bea2e60ca5ba7711d","b9c91face6ddfecc26d444f891c24796dbc953fb33145749f30b17445400c87c")

    Reference:    

    https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/        


    Tags

    Threat ActorCL-STA-0969CommunicationsSouthern AsiaCordscanLiminal Panda

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags