CL-UNK-1068: The Stealthy Chinese Threat Actor Haunting Asian Infrastructure

Since 2020, a sophisticated cluster of activity has been quietly infiltrating high-value organizations across South, Southeast, and East Asia. Tracked by Unit 42 as CL-UNK-1068, this group has cast a wide net, targeting critical sectors ranging from aviation and energy to government and telecommunications.

While the group’s specific affiliation remains under investigation, researchers assess with high confidence that the attackers are a Chinese threat actor, citing “the origin of their tools, linguistic artifacts in configuration files, and their consistent, longstanding targeting of critical infrastructure in Asia”.

CL-UNK-1068 is characterized by its cross-platform capabilities, maintaining a robust toolset for both Windows and Linux environments. Their strategy relies heavily on a “multi-faceted tool set that includes custom malware, modified open-source utilities and living-off-the-land binaries (LOLBINs)”.

One of their most distinctive techniques involves the misuse of legacy Python executables. By deploying a legitimate python.exe alongside a malicious DLL loader, they can “stealthily load additional payloads” into the memory space of a trusted process, bypassing traditional security scans.

The group typically gains its initial foothold by deploying GodZilla or AntSword web shells. Once inside, they move laterally to target the heart of an organization: its SQL servers.

To extract sensitive data without leaving a trace of file transfers, the attackers use a “simple but effective” three-step exfiltration method:

1. Archiving stolen files with WinRAR.
2. Encoding the archives into Base64 using the legitimate certutil command.
3. Printing the Base64 text directly to their screen through the web shell.

This clever workaround allows them to exfiltrate information “without actually uploading any files,” as the shell allows them to view command output even when direct file transfers are blocked.

The group’s evolution is evident in their reconnaissance tactics. While they originally used a custom .NET tool named SuperDump to collect host telemetry and registry info, they have recently transitioned to custom batch scripts (such as hp.bat and hpp.bat) that serve as a unique signature of their activity.

For credential theft, they utilize a mix of global favorites and niche community tools:

• Mimikatz and LsaRecorder: The latter is a specialized tool shared on Chinese security forums that hooks system functions to record logon passwords.
• Dumpit and Volatility: Used in tandem to dump machine memory and extract password hashes.
• SSMS Password Export Tool: A tool specifically designed to steal saved connection info from Microsoft SQL Server Management Studio.

While the primary objective appears to be cyberespionage, Unit 42 notes that they “cannot yet fully rule out cybercriminal intentions”. To counter this threat, defenders are advised to look for behavioral anomalies rather than just static indicators.