Nation-State Espionage: Airstalk Malware Hijacks VMware AirWatch (MDM) API for Covert C2 Channel
Ddos 
Palo Alto Networks’ Unit 42 Threat Intelligence team has uncovered a sophisticated new malware family dubbed Airstalk, which leverages VMware AirWatch (Workspace ONE) mobile device management (MDM) APIs as a covert command-and-control (C2) channel.
According to Unit 42, “We have discovered a new Windows-based malware family we’ve named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack.”
The malware, tracked under threat activity cluster CL-STA-1009, represents a highly adaptive espionage toolkit designed to steal browser data, credentials, and screenshots while evading detection through legitimate cloud service abuse.
The campaign is believed to have originated from a supply chain compromise, targeting organizations through trusted third-party vendors and service providers.
Unit 42 explains that “supply chain attacks target the goods and services organizations rely upon to perform their day-to-day activities. This includes hardware, cloud-based services trusted to manage an organization’s most sensitive data, and specialized business process outsourcing (BPO) staff.”
Such BPO entities—contractors who manage sensitive operations for multiple clients—represent high-value entry points for nation-state adversaries. The report warns that compromising one vendor can open access to hundreds of downstream targets.
Airstalk operates in two main variants: one written in PowerShell and another in .NET. Both share the same covert C2 mechanism but differ in complexity and functionality.
The PowerShell variant represents the initial stage of development, while the .NET version adds multi-threaded communication, versioning, and enhanced persistence controls.
The malware’s hallmark is its abuse of the AirWatch API. Unit 42 writes:
“Airstalk misuses the AirWatch API for mobile device management, which is now called Workspace ONE Unified Endpoint Management. It uses the API to establish a covert C2 channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.”
This abuse effectively turns the trusted MDM infrastructure into a communication hub for malware operators, blending malicious activity into legitimate management traffic.
In both variants, Airstalk communicates with its operators by embedding commands within the custom attributes of registered devices using AirWatch’s /api/mdm/devices/ endpoint.
Each compromised machine sends serialized JSON messages disguised as legitimate MDM updates. The threat actor retrieves them later, creating a “dead drop” system — a classic espionage technique for exchanging information without direct connection.
Unit 42 describes this as:
“A dead drop is a secret method of communication used to pass items or information between individuals without them connecting directly. Adversaries typically use this technique in espionage, where one person leaves the item in a hidden location and the other retrieves it later.”
This covert exchange allows the malware to receive tasks, such as taking screenshots, collecting Chrome cookies, and exfiltrating files, through AirWatch’s legitimate blob upload feature (/api/mam/blobs/uploadblob).
The .NET variant of Airstalk represents a more advanced generation of the malware. It supports multi-threaded operations, including task execution, debug log exfiltration, and regular beaconing every 10 minutes.
Unit 42 notes that “the .NET variant also appears to be in a more advanced stage of development than the PowerShell variant,” and includes new C2 message types like MISMATCH, DEBUG, and PING for better error handling and persistence.
Its functionality extends beyond Chrome, targeting Microsoft Edge and Island Browser, and can exfiltrate cookies, bookmarks, browsing history, and screenshots.
Airstalk’s stealth capabilities are further enhanced through signed binaries and timestamp manipulation. Some samples were found to be digitally signed with a stolen certificate from Aoteng Industrial Automation (Langfang) Co., Ltd., which was revoked shortly after issuance — a known evasion tactic seen in other state-sponsored malware families.
Airstalk employs several advanced evasion techniques:
- Abusing trusted MDM infrastructure to disguise network traffic.
- Using legitimate APIs for command-and-control.
- Digitally signing payloads with stolen certificates to appear legitimate.
- Manipulating PE timestamps to hinder forensic correlation.
The PowerShell variant achieves persistence through scheduled tasks, while the .NET version remains fileless, removing itself after exfiltration to minimize detection.
Unit 42 warns that the malware’s stealth allows it to operate undetected — especially when hosted within third-party vendor environments, where traditional endpoint protection may not reach.
Unit 42 attributes the activity to a suspected nation-state threat actor.
“Based on our internal assessment, we assess with medium confidence that a nation-state threat actor used Airstalk malware in a supply chain attack. We are tracking the identified activity as an activity cluster that we named CL-STA-1009.”
The researchers emphasize that the goal appears to be long-term espionage and data collection, rather than immediate disruption. The targeting of BPO providers suggests an intent to infiltrate multiple high-value organizations indirectly, maintaining persistent access across enterprise networks through compromised third-party tools.
Related Posts:
- Cisco’s Talos found a hacking campaign that targets iPhone users
- VmWare releases security patch to fix flaws in vRealize Automation, vSphere Integrated Containers, and AirWatch Console
- VMware Patches a Critical Code Execution Vulnerability in AirWatch Agent for Android and Windows Mobile
- Suspected Nation-State Adversary Exploits Ivanti CSA in a Series of Sophisticated Attacks
- 600 Million Daily Cyberattacks: Microsoft’s Alarming Report
Donate