| SYMBOL | COMMON_NAME | aka. SYNONYMS |
CL-STA-1009 is a threat activity cluster associated with a suspected nation-state actor utilizing the Airstalk malware family, which includes both PowerShell and .NET variants. The .NET variant features a multi-threaded C2 protocol, versioning, and complex tasks, employing defense evasion techniques such as signed binaries with a revoked certificate and manipulation of PE timestamps. The malware is believed to have been used in supply chain attacks, with a development timeline established through signed timestamps. The persistent threat posed by this actor is underscored by the adaptive nature of the malware.
| 2025-10-29
⋅
Palo Alto Networks Unit 42
⋅
Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack Airstalk CL-STA-1009 |