In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 has documented a previously undisclosed Chinese threat actor cluster, CL-UNK-1068, conducting cyberespionage operations against critical sectors (aviation, energy, government, telecom, pharma) across South, Southeast, and East Asia since at least 2020. The group uses a cross-platform toolkit combining custom malware (ScanPortPlus, SuperDump), modified open-source tools (GodZilla/AntSword web shells, Fast Reverse Proxy, Xnote Linux backdoor), and LOLBINs. Key techniques include DLL side-loading via legitimate Python executables, credential theft using Mimikatz, LsaRecorder, DumpIt+Volatility, and SSMS password dumping, plus data exfiltration via Base64-encoded RAR archives. Attribution is based on Chinese-language artifacts in tool configs, use of tools shared on Chinese security forums, and targeting patterns consistent with China-aligned actors. Full IOCs including SHA256 hashes and C2 IP addresses are provided.

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Exfiltrating Configuration Files for Access and Sensitive Data

Appendix B: CL-UNK-1068 Tools and Utilities