New Windows-Based Airstalk Malware Employs Multi-Threaded C2 Communication to Steal Logins

A newly discovered Windows malware family named Airstalk has emerged as a sophisticated threat capable of exfiltrating sensitive browser credentials through an innovative covert command-and-control channel.

Available in PowerShell and .NET variants, this malware demonstrates advanced capabilities including multi-threaded communications, versioning, and the misuse of legitimate mobile device management infrastructure.

The malware hijacks the AirWatch API, now known as Workspace ONE Unified Endpoint Management, transforming a legitimate platform into a clandestine communication channel.

Airstalk leverages the custom device attributes feature within the AirWatch MDM API to establish a “dead drop” mechanism, where encrypted communications are exchanged without direct connection between attacker and victim.

This espionage technique allows threat actors to maintain persistent access while remaining undetected.

The malware targets browser data including cookies, history, bookmarks, and screenshots through endpoints /api/mdm/devices/ for command-and-control and /api/mam/blobs/uploadblob for exfiltration.

Palo Alto Networks researchers identified this malware as part of a suspected nation-state supply chain attack, tracking the activity under threat cluster CL-STA-1009.

What distinguishes Airstalk from typical information stealers is its ability to function within trusted systems management tools, allowing execution without raising suspicion.

The PowerShell variant targets Google Chrome, while the .NET variant extends reach to Microsoft Edge and Island Browser.

The C2 protocol operates through JSON messages containing CLIENT_UUID, storing the compromised device identifier retrieved through Windows Management Instrumentation, and SERIALIZED_MESSAGE, with Base64-encoded instructions. The protocol employs message types like CONNECT, CONNECTED, ACTIONS, and RESULT.

Defense evasion remains central through code-signed binaries bearing a certificate issued to Aoteng Industrial Automation (Langfang) Co., Ltd., revoked 10 minutes after issuance.

Multi-Threaded C2 Architecture and Credential Harvesting

The .NET variant demonstrates sophisticated engineering through multi-threaded architecture, separating core functions into parallel execution streams.

This design allows simultaneous task management, debugging transmission to attackers every 10 minutes, and periodic beaconing to signal active infection.

The implementation utilizes three suffix identifiers: -kd for debugging, -kr for task synchronization, and -kb for connection establishment.

The malware focuses on browser credential harvesting using Chrome remote debugging to extract cookies from active sessions.

The PowerShell variant restarts Chrome with parameters loading targeted profiles and executes commands to dump cookies.

The code leverages the UploadResult function to transmit stolen data.

{
    "Name": "<CLIENT_UUID>",
    "Value": "<SERIALIZED_MESSAGE>",
    "Uuid": "<CLIENT_UUID>",
    "Application": "services.exe",
    "ApplicationGroup": "services"
}

When handling large data, Airstalk utilizes the blobs feature to upload content. The serialized message structure follows a nested schema where the outer JSON container holds device identification and encoded payloads.

The .NET variant introduces versioning support, evolving through versions 13 and 14. The execution flow implements parallel threads, while the debug function periodically uploads the log.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.