On October 29, 2025, Palo Alto Networks’ Unit 42 reported on a Windows-based malware family named Airstalk, deployed by a newly designated suspected nation-state threat actor tracked as CL-STA-1009.
This actor is believed to be conducting long-term espionage campaigns targeting business process outsourcing (BPO) providers that deliver services such as customer support, IT operations, and finance management to multiple organizations. The campaign began in mid-2024, with signed binaries submitted to malware repositories between July and December.
Airstalk exists in both PowerShell and .NET variants and uses the AirWatch mobile device management application programming interface (API) to establish covert command-and-control channels.
AirWatch, now part of VMware’s Workspace ONE Unified Endpoint Management, is a remote device management solution used by enterprises to configure devices, enforce security policies, and monitor compliance across platforms including Windows, macOS, iOS, and Android.
The .NET variant of Airstalk, observed in samples signed with a revoked certificate issued in June 2024, includes multi-threaded communication, browser session exfiltration, and screenshot capture. The PowerShell variant was first detected in January 2025.
CL-STA-1009 uses stolen certificates and timestamp manipulation to evade endpoint detection and maintain persistence. The malware targets browser data from Microsoft Edge and Island Browser, and operates through legitimate management APIs to blend in with normal traffic. This enables attackers to bypass perimeter defenses and exploit trusted relationships between BPOs and their clients.
By compromising a single BPO, threat actors can gain indirect access to multiple organizations. The campaign’s focus on browser session data and screenshots indicates an intent to capture sensitive operational and customer information.
The tactics suggest a preference for stealthy, persistent access rather than immediate disruption. AirWatch’s widespread use in enterprise environments makes it a strategic vector for covert malware operations.
Field Effect MDR helps mitigate threats like Airstalk by monitoring endpoint, network, and cloud environments 24/7 for behavioral anomalies that signal covert activity
It detects misuse of legitimate tools, such as AirWatch, flags unauthorized browser data access, and blocks execution of signed malware binaries designed to evade traditional defenses
With centralized visibility and automated response capabilities, Field Effect MDR enables security teams and managed service providers to contain supply chain threats quickly, reduce dwell time, and limit exposure across multi-tenant environments targeted by actors like CL-STA-1009.