Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
Airstalk malware represents a sophisticated Windows-based cyber threat discovered in 2025, targeting organizations worldwide through a covert supply chain attack. This stealthy malware family exists in both PowerShell and .NET variants, exploiting Workspace ONE (formerly AirWatch) API infrastructure for command-and-control communication. Attributed to nation-state threat actor CL-STA-1009, Airstalk malware operates by infiltrating legitimate Mobile Device Management (MDM) systems to exfiltrate sensitive browser data, screenshots, and activity logs while maintaining an extremely low detection profile.
The Airstalk supply chain attack primarily targets Business Process Outsourcing (BPO) firms and critical vendors, enabling attackers to compromise multiple downstream clients simultaneously. By leveraging stolen digital certificates and trusted enterprise infrastructure, this Windows malware blurs the distinction between legitimate network operations and cyber espionage activities, presenting significant security challenges for organizations dependent on third-party vendor services.
Airstalk malware is a newly identified Windows-based threat developed in both PowerShell and .NET variants, believed to originate from nation-state actor operations involving sophisticated supply chain compromise. The malware exploits the AirWatch API, now known as Workspace ONE Unified Endpoint Management (UEM), to establish covert command-and-control channels that seamlessly blend within legitimate enterprise network traffic. Airstalk’s primary objective focuses on exfiltrating sensitive browser data including cookies, browsing history, bookmarks, and screenshots through multi-threaded communication protocols. The malware incorporates version tracking for development monitoring and utilizes potentially stolen digital certificates for sample signing, significantly enhancing its credibility and stealth capabilities within enterprise environments.
The PowerShell variant of Airstalk malware establishes command-and-control communication through the AirWatch Mobile Device Management (MDM) API, utilizing the endpoint as a sophisticated dead-drop channel. This covert communication method stores data as custom attributes on compromised devices, enabling attackers to exchange information indirectly without requiring real-time interaction. The malware possesses file upload capabilities via the endpoint to support operational requirements. All messages are exchanged in structured JSON format containing organized fields, ensuring communications remain well-structured and traceable within the attacker’s infrastructure. This sophisticated exploitation of legitimate enterprise APIs enables Airstalk to conceal malicious traffic within normal network activity.
Once the connection is established, the PowerShell variant of Airstalk malware awaits task instructions from operators, executing commands classified under various operational values. Analysis reveals that one identifier appears deliberately omitted, likely concealing specific functionalities or representing reserved capabilities. The malware’s ability to exfiltrate browser cookies through remote debugging proves particularly concerning, as this technique enables unauthorized access to user sessions without directly stealing credentials. When integrated into trusted MDM environments, these malicious actions become significantly harder to detect, making Airstalk an exceptionally discreet and dangerous cyber threat tool.
Further analysis uncovered a more advanced .NET variant of Airstalk malware, demonstrating clear evolution from the PowerShell version. This iteration expands targeting capabilities beyond Google Chrome to include Microsoft Edge and Island Browser. The .NET version introduces enhanced obfuscation techniques, new communication mechanisms, and multiple dedicated execution threads that manage command-and-control operations, debug log exfiltration, and regular beaconing activities every ten minutes. The malware incorporates version tracking, with samples identified as versions 13 and 14, and uses legitimate-looking code signing to disguise itself as benign legacy applications, further increasing its stealth profile.
With moderate confidence, security researchers attribute Airstalk malware deployment to suspected nation-state threat actor CL-STA-1009, likely involved in targeted supply chain intrusion operations. These sophisticated attacks typically focus on critical vendors and Business Process Outsourcing (BPO) firms that handle sensitive operational data for multiple organizations. By compromising a single BPO provider, adversaries gain simultaneous access to numerous downstream clients, making these entities extremely valuable targets for cyber espionage campaigns and persistent threat operations.
Organizations must regularly audit Mobile Device Management (MDM) and Workspace ONE configurations to detect potential Airstalk malware indicators. Security teams should monitor for unusual API calls, particularly those writing or modifying device attributes, to identify hidden communication channels employed by the malware. Implementing comprehensive logging and real-time monitoring of MDM systems helps detect abnormal activity patterns associated with covert command-and-control operations.
Ensure all software and executables are signed with legitimate and active digital certificates. Security teams must flag any binaries signed with expired or revoked certificates, as Airstalk malware has been observed abusing stolen certificates to appear trustworthy within enterprise environments. Implement certificate validation processes and maintain an updated certificate revocation list to prevent execution of maliciously signed code.
Implement browser isolation technologies or endpoint protection solutions that monitor unauthorized attempts to access or extract browser cookies, history, or bookmarks. These data points represent Airstalk’s primary targets for session hijacking and credential theft. Deploy data loss prevention (DLP) solutions specifically configured to detect unusual browser data access patterns and unauthorized exfiltration attempts.
Enable detailed logging for PowerShell and .NET executions across all enterprise endpoints. Correlate event logs with network data to uncover unusual process behaviors or scripts interacting with enterprise APIs. Implement security information and event management (SIEM) solutions to aggregate and analyze endpoint activity, enabling rapid detection of Airstalk malware indicators and suspicious behavior patterns.
Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to identify and block Airstalk malware variants. Leverage behavioral analysis and machine learning-based detection capabilities to identify suspicious activity patterns that may indicate compromise. Ensure endpoint protection platforms are configured to detect PowerShell execution anomalies, unauthorized API interactions, and unusual network communication patterns associated with the malware.
The following SHA256 hash values are associated with Airstalk malware samples:
Security teams should incorporate these Airstalk malware indicators into threat intelligence platforms and endpoint detection systems to identify potential compromise.
Initial Access (TA0001): Airstalk malware utilizes Supply Chain Compromise (T1195) to gain initial access to target environments through trusted vendor relationships and Business Process Outsourcing providers.
Execution (TA0002): The malware employs Command and Scripting Interpreter (T1059) techniques, specifically PowerShell (T1059.001) execution, to run malicious code within compromised systems.
Persistence (TA0003): Airstalk establishes persistence through Scheduled Task/Job (T1053) mechanisms, specifically using Scheduled Task (T1053.005) capabilities to maintain long-term access to compromised environments.
Defense Evasion (TA0005): The malware uses System Binary Proxy Execution (T1218) techniques to evade security controls and blend malicious activity with legitimate system processes.
Credential Access (TA0006): Airstalk targets Credentials from Password Stores (T1555), specifically Credentials from Web Browsers (T1555.003), to harvest authentication tokens and session cookies for unauthorized access.
Discovery (TA0007): The malware performs File and Directory Discovery (T1083) and Browser Information Discovery (T1217) to identify valuable data and understand the compromised environment.
Collection (TA0009): Airstalk employs Screen Capture (T1113) capabilities to collect visual information from compromised systems, supplementing browser data theft operations.
Exfiltration (TA0010): The malware uses Exfiltration Over Web Service (T1567) techniques to transmit stolen data through legitimate enterprise APIs and MDM infrastructure.
Command and Control (TA0011): Airstalk establishes covert communication channels using Web Service (T1102) and Application Layer Protocol (T1071) techniques, leveraging Workspace ONE APIs to blend malicious traffic with legitimate MDM communications.
For comprehensive technical analysis and detailed information about Airstalk malware, security professionals can access the following authoritative source:
Palo Alto Networks Unit 42 Research: https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/
Report Information:
Get through updates and upcoming events, and more directly in your inbox
