All through 2024, telecom operators in Southeast Asia came under the radar of a threat collective tagged as CL-STA-0969, suspected to be state-directed. Threat researchers at Palo Alto Networks Unit 42 linked the activity to a covert campaign involving tailored malware and remote access utilities designed to secure persistent network access while remaining undetected.
Instead of exfiltrating data or overt disruption, the operators emphasized persistence and low visibility throughout their activity. Among the utilities deployed was Cordscan, a reconnaissance tool designed to harvest location information from mobile devices within targeted networks. Still, no signs of exfiltration or device interaction were found in the environments Unit 42 analyzed; however, they caution that these findings apply only to the networks they accessed, and activity may differ elsewhere.
While these tools and backdoors are fully capable of transferring data out of compromised networks, investigators did not observe any attempts to steal or exfiltrate sensitive information from the environments they reviewed. Instead, the focus appeared to be on establishing and maintaining long-term, undetected access.
The group used aggressive log-clearing and file deletion routines. Reverse SSH tunnels were established to enable covert remote access and control. According to researchers, their methods strongly resemble those used by Liminal Panda, a China-linked group, and align with tactics from clusters like LightBasin (UNC1945) and UNC2891. Some tactics and tools resemble those employed by other advanced groups active in telecom espionage, complicating attribution.
In at least one intrusion, access was gained by brute-forcing SSH credentials. That opened the door to several implants, including:
AuthDoor: a backdoor inside a PAM module, allowing login via a preset password.
GTPDOOR: a backdoor to provide stealthy access and control access within GPRS roaming exchanges
EchoBackdoor: enables covert command exchange using ICMP echo packets.
ChronosRAT: offers full remote access, supporting proxying, keylogging, screenshots, and shell control.
sgsnemu: tunnels data through telecom networks to evade conventional security barriers.
NoDepDNS (MyDns): listens silently on DNS port 53 for disguised C2 instructions.
Cordscan: performs packet sniffing and internal network mapping for reconnaissance.
Additionally, public tools like FRP, ProxyChains, Microsocks, Responder, and FScan were used. DNS tunneling and traffic proxying through compromised mobile networks provided additional cover for command-and-control operations. For privilege escalation, they exploited Dirty COW (CVE-2016-5195), PwnKit (CVE-2021-4034), and Baron Samedit (CVE-2021-3156). SELinux was disabled, logs were systematically cleared, and process names were routinely disguised to hinder detection and frustrate digital forensics efforts.
Unit 42 stated that the actor demonstrated a deep understanding of telecom protocols, routing C2 traffic through mobile networks, tunneling traffic, and erasing signs as they proceeded.
Separately, China’s National Computer Network Emergency Response Team (CNCERT) claimed that U.S. intelligence operatives infiltrated more than 50 systems tied to military and satellite communications. The incidents, allegedly occurring between mid-2022 and mid-2023, were reportedly linked to unpatched vulnerabilities within Microsoft Exchange. Among the targets were Chinese military-linked institutions using file system exploits in 2024, as both sides continue to trade accusations of cyber intrusion. As President Trump remarked last month, this tit-for-tat defines today’s world of state-level cyber operations.
