Skip to content
.ca
sign in
7 minhigh

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Since 2020, a Chinese threat actor tracked as CL-UNK-1068 has targeted critical infrastructure in Asia for cyberespionage. The group utilizes a diverse, cross-platform toolkit including web shells, custom Go-based scanners, modified Fast Reverse Proxy (FRP) for tunneling, and legacy Python executables for DLL side-loading to maintain stealth, escalate privileges, and exfiltrate sensitive data.

Conf:highAnalyzed:2026-03-06reports

Authors: Unit 42

ActorsCL-UNK-1068Chinese threat actors
Web ShellsFRPDLL SideloadingCL-UNK-1068Cyberespionage

Source:Palo Alto Networks

IOCs · 3

Key Takeaways

  • CL-UNK-1068 is a Chinese threat actor targeting critical infrastructure in Asia since at least 2020, likely motivated by cyberespionage.
  • The group heavily utilizes DLL side-loading by placing malicious 'python20.dll' files alongside legacy Python executables to execute shellcode in memory.
  • Data exfiltration is stealthily conducted by archiving files with WinRAR, Base64-encoding them with certutil, and printing the output to the screen via web shells.
  • The threat actor deploys custom tools like ScanPortPlus (a Go-based scanner) and SuperDump alongside modified open-source utilities like FRP and Xnote.
  • Privilege escalation is achieved using known vulnerabilities (CVE-2021-4034, CVE-2023-34048) and tools like PrintSpoofer and Sliver.

Affected Systems

  • Windows Server
  • Linux Server
  • Microsoft SQL Server
  • VMware vCenter Server
  • IIS Web Servers

Vulnerabilities (CVEs)

  • CVE-2021-4034 (PwnKit - Local Privilege Escalation on Linux)
  • CVE-2023-34048 (VMware vCenter Server Out-of-Bounds Write RCE)

Attack Chain

Attackers gain initial access by deploying web shells (GodZilla, AntSword) on vulnerable web servers. They perform extensive host and network reconnaissance using custom batch scripts and tools like SuperDump. Privilege escalation is achieved via tools like PrintSpoofer, Sliver, or exploits like PwnKit. Persistence and lateral movement are facilitated by custom FRP tunnels and DLL side-loading via legacy Python executables. Finally, sensitive data and configuration files are archived with WinRAR, Base64-encoded using certutil, and exfiltrated by reading the text output directly through the web shell.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Cortex XDR, Palo Alto NGFW

The article does not provide raw detection rules but mentions that Palo Alto Networks provides Threat Prevention signatures and Cortex XDR Analytics BIOCs to detect uncommon process communications and sensitive file discovery.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process execution (cmd.exe, rar.exe, certutil.exe), file writes (web shells, .rar files), and registry modifications, which are highly visible to EDR sensors. Network Visibility: Medium — FRP tunnels and web shell traffic can blend in with legitimate web traffic, but custom FRP proxy names and unique C2 ports offer detection opportunities. Detection Difficulty: Moderate — While the attackers use LOLBins and legitimate Python executables, the specific combinations (e.g., certutil encoding rar files, python side-loading python20.dll) create distinct behavioral signatures.

Required Log Sources

  • Event ID 4688 (Process Creation)
  • Event ID 11 (FileCreate)
  • Event ID 4624 (Logon)
  • Event ID 104 (Log clear)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for certutil.exe being used to encode .rar or .zip files, indicating potential data exfiltration staging.Process Execution (Event ID 4688) with command line arguments containing '-encode' and archive extensions.ExfiltrationLow
Monitor for w3wp.exe or sqlservr.exe spawning cmd.exe followed by archiving tools like rar.exe or certutil.exe.Process Ancestry / Process Creation logs.ExecutionLow
Search for legacy Python executables (python.exe, pythonw.exe) loading a DLL named python20.dll from non-standard directories like c:\temp.Image Load (Event ID 7) or File Creation (Event ID 11).Defense EvasionMedium
Identify execution of batch scripts with names like hp.bat, hpp.bat, or cl.bat that sequentially run multiple discovery commands (e.g., ipconfig, systeminfo, wevtutil).Process Execution (Event ID 4688) showing rapid, sequential execution of built-in discovery tools.DiscoveryMedium

Control Gaps

  • Lack of strict egress filtering allowing FRP tunnels to establish outbound connections.
  • Insufficient monitoring of web server and SQL server child processes.

Key Behavioral Indicators

  • Web server processes (w3wp.exe, sqlservr.exe) spawning cmd.exe.
  • certutil -encode used specifically on archive files.
  • python.exe loading python20.dll from unusual paths.
  • wevtutil clearing multiple event logs sequentially.

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Isolate potentially compromised web and SQL servers from the network.
  • Block known C2 IP addresses associated with FRP tunnels.
  • Search for and remove unauthorized web shells in IIS directories (c:\inetpub\wwwroot).

Infrastructure Hardening

  • Implement strict egress filtering to block unauthorized tunneling tools like FRP.
  • Apply patches for known vulnerabilities like CVE-2021-4034 and CVE-2023-34048.
  • Ensure Network Level Authentication (NLA) is enforced for RDP and monitor registry keys that disable it.

User Protection

  • Deploy EDR solutions to monitor for suspicious child processes spawned by web services.
  • Restrict execution of LOLBins like certutil.exe where not required for business operations.

Security Awareness

  • Train SOC analysts to recognize behavioral anomalies like legitimate binaries being used for DLL side-loading.
  • Educate administrators on the risks of leaving legacy configuration files or database backups in web-accessible directories.

MITRE ATT&CK Mapping

  • T1505.003 - Server Software Component: Web Shell
  • T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1003.001 - OS Credential Dumping: LSASS Memory
  • T1074.001 - Data Staged: Local Data Staging
  • T1005 - Data from Local System
  • T1090 - Proxy
  • T1068 - Exploitation for Privilege Escalation
  • T1070.001 - Indicator Removal: Clear Windows Event Logs

Additional IOCs

  • Ips:
    • 13[.]250[.]108[.]65 - Associated IP address
    • 43[.]255[.]189[.]67 - Associated IP address
    • 107[.]148[.]33[.]60 - Associated IP address
    • 107[.]148[.]51[.]251 - Associated IP address
    • 107[.]148[.]130[.]22 - Associated IP address
  • File Hashes:
    • 524734501be19e9ed1bfab304b0622a2263a4f9e3db0971f3fae93f7e7369c20 (SHA256) - Shellcode loader (m.exe/l.exe)
    • 26483f0886078cc9f5f9912d3ffce1301e297b435920ab1c86c9107bbdce4db2 (SHA256) - Mimikatz shellcode binary (m.bin)
    • 8a3345f0d8f1a7d78ea485ae11358cf2ae3d51cb7975524d6d67ba05a08a37ea (SHA256) - LsaRecorder (ls.exe)
    • c880936ba0ca153719c2cca33c1925a9480d28abc88cf4daa02f34cc8cc1c9e5 (SHA256) - SQL Server Management Studio Password Export Tool (ssms.exe)
    • 8d3907d56b1dd1609053cb55dd66f33499e1ea091133df76d8fe6f08f25f37b2 (SHA256) - ScanPortPlus Linux version (sp/spp)
    • e1ff808321ce952384b7fff720584c48ec0fd36480d6bc9ac0d5db036102c368 (SHA256) - FRP Linux version (nginx/httpd)
    • 96f52e4666aa8df67f8d7d00a523cd25e11402108157156775603b3d9514925c (SHA256) - CVE-2023-34048 Python Executable (vc.exe)
    • f7c73b1ac9aff545b184ec7121f2bc706c5064dc3c17f59e9a39469031bf2ef6 (SHA256) - srunas.exe privilege escalation tool
    • b87cee18720c176c1972cf5c74e3c09877177e0c49c34a04b910bb3c70839b71 (SHA256) - Xnote Linux backdoor (80/iptable6)
    • edc0287da3c6bb62a7b2fd3949be5688628fc0e893b5822bd5734a63c39f7ab1 (SHA256) - SuperDump reconnaissance tool (super.exe/superdump.exe)
    • 8af434c2af2d901694cb27ec8639e7054f84938110a5cc4492c1bac597026d50 (SHA256) - PwnKit exploit (PwnKit.so)
    • ce20c033dcadf17d9cca325869f946efdd82ab0756fa56e262b6f573252d457c (SHA256) - PrintProgram privilege escalation tool
    • 52c817465a56ccd0fb4e914a3274a9e9a93e872583e6239bc6461e4f3e40c567 (SHA256) - Sliver agent (agent.exe)
  • Registry Keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP - Modified to disable Network Level Authentication (NLA) for RDP.
  • File Paths:
    • c:\inetpub\wwwroot\ - Target directory for web shell deployment and configuration file theft.
    • c:\temp\python - Directory used to stage the legitimate Python executable and malicious DLL.
    • C:\Users\$USER$\AppData\Roaming\Microsoft\SQL Server Management Studio\12.0\sqlstudio.bin - Targeted file containing saved SSMS connection info.
    • /etc/hosts - Targeted by Linux tools for reconnaissance.
    • /dev/shm/nginx - Location of disguised FRP binary on Linux.
  • Command Lines:
    • Purpose: Base64 encode an archive for stealthy exfiltration via web shell text output. | Tools: certutil.exe | Stage: Exfiltration | certutil -encode <source_archive> <dest_text_file>
    • Purpose: Archive reconnaissance results or stolen configuration files. | Tools: rar.exe | Stage: Collection | rar.exe a -df host.rar *.txt
    • Purpose: Clear Windows event logs to remove forensic artifacts. | Tools: wevtutil.exe | Stage: Defense Evasion | wevtutil cl Security
    • Purpose: Dump registry hives for offline credential extraction. | Tools: reg.exe | Stage: Credential Access | reg save HKLM\SYSTEM sys.hiv
    • Purpose: Extract local user account NTLM password hashes from a memory dump. | Tools: vol.exe | Stage: Credential Access | vol.exe -l log.txt -vvvv -f win.dmp windows.hashdump
  • Other:
    • frpforzhangwei - Unique authentication token found in custom FRP configurations.
    • f*ckroot123 - Unique common password found in custom FRP configurations (profanity masked by source).

Related