Security researchers have uncovered a sophisticated new malware family targeting enterprise environments through a supply chain compromise.
The malware, tracked as Airstalk, represents a significant shift in how attackers exploit legitimate enterprise management tools to evade detection and maintain persistent access to compromised systems.
This discovery highlights the growing vulnerability of business process outsourcing organizations and third-party vendors who manage critical infrastructure on behalf of larger enterprises.
Airstalk operates in two distinct variants, PowerShell and .NET, with both versions leveraging the AirWatch API, now known as VMware Workspace ONE Unified Endpoint Management.
The malware’s primary distinction lies in its abuse of legitimate mobile device management infrastructure to establish command-and-control communications, allowing attackers to remain invisible to traditional security monitoring systems.
This technique enables adversaries to hide malicious traffic within legitimate management API calls, effectively bypassing network-based detection mechanisms that organizations typically rely on.
Palo Alto Networks security analysts identified the malware after discovering evidence suggesting a possible nation-state threat actor deployed Airstalk through a carefully orchestrated supply chain attack.
The research team created the threat activity cluster CL-STA-1009 to track ongoing activities related to this malware family.
The malware’s sophisticated design and multi-threaded architecture suggest substantial investment in development resources, consistent with nation-state threat actors who prioritize long-term persistence over quick operational gains.
The discovered samples demonstrate advanced capabilities including data exfiltration of sensitive browser information, screenshot capture, and sophisticated persistence mechanisms.
Both variants target Google Chrome, though the more advanced .NET variant extends its reach to Microsoft Edge and Island Browser.
The malware creates a modular framework where threat actors can selectively implement or disable specific functions, providing flexibility in operations and potentially serving as a development platform for future variants.
Covert C2 Communication Through AirWatch Dead Drop Mechanism
The most innovative aspect of Airstalk involves its implementation of a dead drop communication channel using the AirWatch MDM API’s custom device attributes feature.
C2 execution flow of Airstalk’s PowerShell variant (Source – Palo Alto Networks)
Rather than establishing direct connections to attacker infrastructure, the malware exchanges JSON-formatted messages through the legitimate MDM platform, effectively using enterprise management tools as intermediaries for command transmission and exfiltration.
The communication protocol operates through specific API endpoints, with the malware querying the devices endpoint (/api/mdm/devices/) to retrieve and store command information.
Messages contain required fields including CLIENT_UUID, derived from Windows Management Instrumentation data, and SERIALIZED_MESSAGE, containing Base64-encoded JSON payloads.
This design allows the malware to maintain operational security by avoiding direct network connections to suspicious infrastructure.
The C2 protocol uses message types for different operational stages, including CONNECT for initial communication, CONNECTED for acknowledgment, ACTIONS for task retrieval, and RESULT for exfiltration.
The malware also leverages the AirWatch blob upload endpoint (/api/mam/blobs/uploadblob) for transferring larger data sets, such as screenshots and stolen credentials, further obscuring malicious activity within routine management operations.
This sophisticated approach transforms trusted enterprise tools into channels for espionage, presenting organizations with an unprecedented detection challenge.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Airstalk Malware Leverages AirWatch API MDM Platform to Establish Covert C2 Communication appeared first on Cyber Security News.
