If you’re hoping for respite from the usual parade of cybersecurity catastrophes, you’re out of luck. Once again, critical infrastructure across South, Southeast, and East Asia has found itself under targeted assault. This time, it’s courtesy of a group identified as CL-UNK-1068, which—no surprise—has been attributed to China. The objectives are neither innovative nor mysterious: old-school cyber espionage, blended with just enough new tricks to keep defenders perpetually on their toes and CISOs forever sleep-deprived.
The Entry Point: Yet More Web Server Vulnerabilities
It’s 2026 and we’re still talking about web server vulnerabilities as an easy way in. Yes, the same ancient bugs that you thought would be history by now. This group targets public-facing servers religiously, exploiting flaws in popular enterprise apps like SharePoint and SAP NetWeaver Visual Composer—because everyone loves an "unauthenticated file upload" flaw, right?
Once that door is cracked open, the attackers waste no time planting web shells like GodZilla and AntSword. These aren’t exactly ‘rare edition’ tools, adding insult to injury. They’re on every pentester’s demo reel at security conferences, but apparently, they're still good enough for China-backed espionage campaigns. Web admins across Asia must either have nerves of steel or just big patches of undeployed updates.
Password Stew: Credential Theft at Industrial Scale
Now, if you think attackers just snoop around a bit and leave, think again. These folks put credential theft front and center. Mimikatz gets dusted off—for the millionth time—to scrape memory for plain old passwords and NTLM hashes. But the classics aren’t enough, so the group also brings in custom flavors like mimCN (think "pass-the-hash" on steroids), LsaRecorder for WinLogon harvesting, and a grab bag of custom scripts to loot application secrets straight from SQL Server tools. If you’re in IT and you haven’t heard of Mimikatz, congratulations on your short, stress-free career.
Living Off the Land—And Loving It
Some attackers drop malware like confetti. Not this crowd. They’d rather blend in, abusing legitimate executables already on the server (Python, really?) to load their own dirty DLLs. The technique is as old as DLLs themselves but, thanks to lousy monitoring and overworked security pros, still works beautifully. Fast Reverse Proxy (FRP) keeps their connections humming, PrintSpoofer lingers in the background, and their in-house port scanner (ScanPortPlus) quietly maps out the rest of your network. All this—camouflaged among normal system activities—makes detection an exercise in frustration.
Data Exfiltration: Subtle as a Sledgehammer
When it’s time to actually steal something, CL-UNK-1068 doesn’t get fancy. WinRAR, that ancient archiving utility everyone’s forgotten to update, gets called in to bundle up files, then certutil is used to encode the lot as Base64. From there, the bundles are simply printed to the web shell screen as text. If you’re a defender, getting data out that way looks about as subtle as a ransomware pop-up, but when your shell doesn't support file transfer, you improvise. For attackers, low tech still works just fine—you can almost hear the collective sigh of exasperation from blue teams everywhere.
Windows or Linux? Why Not Both
If you’re clinging to the hope that switching operating systems buys you safety, it’s time to give up. This gang runs its campaign across both Windows and Linux hosts, swapping out tools as needed. That means nobody’s safe—neither the old Windows box running forgotten payroll apps nor the shiny Linux cluster powering your backend databases. Cross-platform attacks aren’t the stuff of the future anymore. They’re table stakes.
Why Does This Still Work?
The whole episode raises some uncomfortable questions. How, after decades of warnings, does credential theft with Mimikatz still work so reliably? Why do web shells spread like dandelions in spring? And why do legitimate IT tools keep getting abused right under admins’ noses? Blame lethargy, resource gaps, or just plain denial—pick your poison. Critical infrastructure organizations, especially in the government and energy sectors, keep getting hit because they move slow, patch slower, and usually figure their air gaps or compliance checklists are good enough. Spoiler: they're not.
Defenders: It’s Not Hopeless—Just Ugly
To be fair, security teams do know how these attackers operate. Palo Alto Networks’ Unit 42, for example, has laid out a tidy checklist. You need to:
- Constantly audit public web servers for web shells and sketchy scripts (bonus points for actually looking in
c:inetpubwwwroot). - Monitor for weird credential-dumping behavior: mimikatz.exe, LSA hooks, memory snapshots—if you don’t gather these logs, just admit you’ve given up.
- Watch for oddities from legitimate tools (certutil, WinRAR, Python, etc.), because attackers love to hide behind your admins’ favorite toys.
- Scrutinize outbound tunnels and remote access paths that nobody remembers approving. If FRP is popping up in your logs, it’s time for a very uncomfortable meeting.
- Segment the network like your job depends on it—because it does. If a web server falls, you should still have a fighting chance that your database or user endpoints don’t go down with it.
The campaign’s ongoing success is a wakeup call, but let’s be honest—it’s not a new one. Attackers will keep exploiting the obvious because the obvious keeps working. Until basic security hygiene becomes everyone’s job, you can count on stories like this filling your feeds. The threats aren’t going away, they’re just getting more persistent—and a whole lot more patient. If your infrastructure’s online, it’s already on someone’s hit list. Patch, monitor, and repeat. Or don’t, and enjoy being the next headline. Your move.
