A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.

Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009 , where "CL" stands for cluster and "STA" refers to state-backed motivation.

"Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management," security researchers Kristopher Russo and Chema Garcia said in an analysis. "It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads."

The malware, which appears in PowerShell and .NET variants, makes use of a multi-threaded command-and-c

See Full Page