{
	"id": "f134ecf9-4d0b-4cc9-9d31-93e0040ab3c4",
	"created_at": "2026-04-06T00:21:06.894732Z",
	"updated_at": "2026-04-10T03:32:05.939618Z",
	"deleted_at": null,
	"sha1_hash": "38595b9f8616d668140c579d598e002cf9c84c20",
	"title": "Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 923031,
	"plain_text": "Suspected Nation-State Threat Actor Uses New Airstalk Malware in a\r\nSupply Chain Attack\r\nBy Kristopher Russo, Chema Garcia\r\nPublished: 2025-10-29 · Archived: 2026-04-02 11:14:53 UTC\r\nExecutive Summary\r\nWe have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell\r\nand .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely\r\nsupply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related\r\nactivity.\r\nAirstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified\r\nEndpoint Management. It uses the API to establish a covert command-and-control (C2) channel, primarily through the\r\nAirWatch feature to manage custom device attributes and file uploads.\r\nAirstalk has the following functionality:\r\nEmploys a multi-threaded C2 communication protocol\r\nIncorporates versioning\r\nUses a likely stolen certificate to sign some of the samples found\r\nThis malware is designed to exfiltrate sensitive browser data, including:\r\nCookies\r\nBrowsing history\r\nBookmarks\r\nScreenshots\r\nWe have also identified other tasks within the samples found that the threat author did not implement.\r\nAdvanced WildFire\r\nCortex XDR and XSIAM\r\nPrisma Browser\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.\r\nTechnical Analysis\r\nWe have identified two main variants of Airstalk malware, one written in PowerShell, and another written in .NET. The\r\n.NET variant of Airstalk has more capabilities than the PowerShell variant and seems to be in a more advanced stage of\r\ndevelopment.\r\nWe call this malware Airstalk because it misuses the MDM API from AirWatch for its C2 communications. Both variants\r\nemploy the same covert channel for the C2, but the C2 protocols and the targeted browsers differ slightly.\r\nAirstalk PowerShell Variant\r\nPowerShell Covert Channel Implementation\r\nAirstalk uses the devices endpoint (/api/mdm/devices/) of the MDM API from AirWatch for its covert C2 communications\r\nwith the attacker. These C2 communications use the custom attributes feature of the device within the AirWatch MDM API\r\nto store the communication details of the backdoor and use it as a dead drop.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 1 of 15\n\nA dead drop is a secret method of communication used to pass items or information between individuals without them\r\nconnecting directly. Adversaries typically use this technique in espionage, where one person leaves the item in a hidden\r\nlocation and the other retrieves it later.\r\nThe malware also leverages another API endpoint (/api/mam/blobs/uploadblob) to upload files for different purposes.\r\nThe C2 communication is based on JSON messages through the devices API endpoint, containing at least the following\r\nrequired fields (first schema):\r\n{\r\n“Name” : “\u003cCLIENT_UUID\u003e”,\r\n“Value” : “\u003cSERIALIZED_MESSAGE\u003e”,\r\n“Uuid” : “\u003cCLIENT_UUID\u003e”,\r\n“Application” : “services.exe”,\r\n“ApplicationGroup” : “services”\r\n}\r\nCLIENT_UUID: Read through Windows Management Instrumentation (WMI) to contain the real value of the\r\ncompromised device\r\nSERIALIZED_MESSAGE: Base64-encoded JSON message\r\nThe serialized message sent within the Value field, has the following minimum fields (second schema):\r\n{\r\n“method” : “\u003cMESSAGE_TYPE\u003e”,\r\n“uuid” : “\u003cCLIENT_UUID\u003e”,\r\n“sender” ; “\u003cSENDER_ROLE\u003e”\r\n}\r\nCLIENT_UUID: Real Universally Unique Identifier (UUID) value of the compromised device\r\nMESSAGE_TYPE: Varies depending on the purpose of the message\r\nSENDER_ROLE: Set to client for all the messages sent from the compromised device toward the API endpoint\r\nThe final messages (first schema) are then set as custom attributes through the MDM API to communicate with the attacker.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 2 of 15\n\nFigure 1. Covert channel core function from the PowerShell variant of Airstalk.\r\nTo read a message back from the attacker, the malware performs the inverse process. It deserializes the message and verifies\r\nwhether the message comes from the attacker, to avoid reading the message sent by itself, as shown in Figure 2.\r\nFigure 2. C2 response from the Covert channel core function of Airstalk's PowerShell variant.\r\nC2 Protocol\r\nThe C2 protocol for Airstalk's PowerShell variant uses different message types for synchronization and execution of specific\r\ntasks, based on the stage of the communication.\r\nTable 1 shows the different values that the method field can have.\r\nMESSAGE_TYPE Purpose\r\nCONNECT Connection request\r\nCONNECTED Connection accepted\r\nACTIONS Tasks synchronization\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 3 of 15\n\nRESULT Tasks results\r\nTable 1. Values of the method field in Airstalk's PowerShell variant C2 communications.\r\nWhen executed, Airstalk's PowerShell variant initializes the communication with the attacker. To do so, it sends a\r\nCONNECT message and blocks the execution through the function Get-Response as shown in Figure 3, waiting for a\r\nmessage from the threat actor.\r\nFigure 3. Connection initialization by Airstalk's PowerShell variant.\r\nThe code seems to expect to receive a CONNECTED message. However, the result is the same whatever the message type\r\nis, as long as it doesn’t come from the malware (client).\r\nAfter establishing a connection with the attacker, the malware:\r\nAsks for tasks to execute, sending a message of type ACTIONS\r\nBlocks the execution, waiting for an answer from the attacker with an ACTIONS message type\r\nReturns the ID of the action to conduct, as shown in Figure 4 below\r\nFigure 4. C2 tasks checked by Airstalk's PowerShell variant.\r\nAs indicated in Figure 4, this time the execution flow properly filters the message type.\r\nFigure 5 illustrates the execution flow of Airstalk's PowerShell variant.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 4 of 15\n\nFigure 5. C2 execution flow of Airstalk's PowerShell variant.\r\nBackdoor Capabilities\r\nOnce the C2 communication channel is established, the PowerShell variant of Airstalk can receive different tasks through\r\nthe action field, as shown below in Table 2.\r\nACTION_ID Task\r\n0 Take a screenshot\r\n1 Get all Chrome cookies\r\n2 List all the files within the user’s directory\r\n4 List all the Chrome profiles within the user’s directory\r\n5 Get browser bookmarks of a given Chrome profile\r\n6 Get the browser history of a given Chrome profile\r\n7 Uninstall the backdoor\r\nTable 2. Identifiers and tasks for the action field.\r\nFollowing the ACTION_ID values in Table 2, we find the value 3 is skipped. That might be a developer decision, a mistake\r\nor a way to hide additional capabilities from the backdoor by removing the implementation of tasks. This removal is a\r\nsimple but effective way to use it as a modular backdoor.\r\nAfter executing a task, the malware sends the result of the task with the function UploadResult, specifying the ACTION_ID\r\nof the task executed and its returned value as noted in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 5 of 15\n\nFigure 6. Send the task result back to the C2 channel.\r\nSome tasks require sending back a large amount of data or files after Airstalk is executed. To do so, the malware uses the\r\nblobs feature of the AirWatch MDM API to upload the content as a new blob. Figure 7 shows how this is implemented in the\r\nscript of Airstalk's PowerShell variant.\r\nFigure 7. File upload function in Airstalk's PowerShell variant.\r\nAn example of this behavior is taking a screenshot of the infected host, which Figure 8 below shows.\r\nFigure 8. Screenshot function leveraging the UploadResult functionality.\r\nThe function to dump cookies from Chrome enables remote debugging in the browser and restarts it with parameters to load\r\nthe targeted Chrome profile. These parameters also send the command to dump all the cookies and save them to a file that is\r\nlater exfiltrated through the covert channel shown below in Figure 9.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 6 of 15\n\nFigure 9. Exfiltration of Chrome Cookies.\r\nAs previously reported by Red Canary, cookie theft via Chrome remote debugging is not novel functionality and is already\r\nbuilt into a number of information stealers such as Lumma and StealC. However, these information stealers are unlikely to\r\nsuccessfully run in a well-protected environment. Bundling the functionality into a trusted systems management tool allows\r\nexecution without raising suspicion.\r\nAirstalk .NET Variant\r\nDuring our investigation of this malware, we identified a set of samples representing a .NET variant of Airstalk. Compared\r\nto the PowerShell variant, the .NET variant has slight differences in its covert C2 channel protocol and has more\r\ncapabilities. The .NET variant also appears to be in a more advanced stage of development than the PowerShell variant.\r\nWhile the sample we found of Airstalk's PowerShell found only targets Google Chrome, Airstalk's .NET variant also targets\r\ntwo additional web browsers:\r\nMicrosoft Edge\r\nIsland Browser\r\nThe .NET variant tries to mimic a legacy application, by using code signing and specific metadata attributes. Figure 10 notes\r\nan example of this.\r\nFigure 10. Exif metadata from Airstalk's .NET variant is natively set through .NET assemblies.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 7 of 15\n\n.NET Covert Channel Implementation\r\nCompared to the PowerShell variant, Airstalk's .NET variant includes an additional suffix to the UUID field within the\r\nJSON message (first schema) in its covert C2 communication, as noted in Figure 11.\r\nFigure 11. Covert channel code function in Airstalk's .NET variant.\r\nThe Airstalk .NET variant has three different delivery types for its C2 communications as Table 3 notes.\r\nDelivery type Suffix Description\r\nDEBUG -kd Used to send debugging data\r\nRESULT -kr Used to check tasks and send task results\r\nBASE -kb Used for connection establishment and beaconing\r\nTable 3. Different delivery types in C2 communications for the .NET variant of Airstalk.\r\nC2 Protocol\r\nCompared to the PowerShell variant, Airstalk's .NET variant has small differences in the message types for its C2 protocol.\r\nTable 4 lists the extra types (methods) used by the .NET variant.\r\nMESSAGE_TYPE Purpose PowerShell Variant .NET Variant\r\nCONNECT Connection request Yes Yes\r\nCONNECTED Connection accepted Yes Yes\r\nACTIONS Tasks flow Yes Yes\r\nRESULT Tasks results Yes Yes\r\nMISMATCH Version mismatch error No Yes\r\nDEBUG Debug messages No Yes\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 8 of 15\n\nPING Beaconing No Yes\r\nTable 4. Communication methods for Airstalk's .NET variant C2 protocol.\r\nCompared to its PowerShell variant, Airstalk's .NET variant has a different execution flow. The .NET variant uses three\r\ndifferent execution threads, one for each specific purpose:\r\nManaging C2 tasks\r\nExfiltrating the debug log\r\nBeaconing to the C2\r\nFigure 12. Code illustrating the main execution flow for C2 communications in Airstalk's .NET variant.\r\nAs Figure 12 above notes, these variants have a beaconing behavior, a debugging thread and a log file that it sends back to\r\nthe attacker. This is sent through the covert channel every 10 minutes, according to the Debug function that Figure 13 shows.\r\nFigure 13. Debug function periodically uploads the log.\r\nFigure 14 shows the full list of tasks supported by the .NET variant.\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 9 of 15\n\nFigure 14. List of supported tasks for C2 communications in Airstalk's .NET variant.\r\nAlthough the .NET variant's task names are defined similarly to the PowerShell variant tasks, not all the tasks are\r\nimplemented. Additionally, the task IDs in the .NET variant differ from the PowerShell variant. This indicates an evolution\r\nof the .NET variant of Airstalk from what we see in the PowerShell variant. In the .NET variant, some tasks look similar to\r\nthe PowerShell variant, but a closer examination reveals they are more complex as compounds of smaller tasks.\r\nTable 5 below describes the capabilities and implementations of the functions shown earlier in Figure 14.\r\nName ID Implemented Description\r\nScreenshot 0 Yes Takes a screenshot\r\nUpdateChrome 1 Yes Exfiltrates the specified Chrome profile\r\nFileMap 2 Yes Lists the content of the specified directory\r\nRunUtility 3 No N/A\r\nEnterpriseChromeProfiles 4 Yes Retrieves the available Chrome profiles\r\nUploadFile 5 Yes Exfiltrates specific Chrome artifacts and credentials\r\nOpenURL 6 Yes Opens a new URL in Chrome\r\nUninstall 7 Yes Finishes the execution\r\nEnterpriseChromeBookmarks 8 Yes Gets the Chrome bookmarks from the specified user\r\nEnterpriseIslandProfiles 9 Yes Retrieves the available Island profiles\r\nUpdateIsland 10 Yes Exfiltrates the specified Island profile\r\nExfilAlreadyOpenChrome 11 Yes Dumps all the Cookies from the current Chrome profile\r\nTable 5. Tasks for C2 functions in Airstalk's .NET variant.\r\nVersioning\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 10 of 15\n\nAirstalk's PowerShell variant does not have a version variable, but the .NET variant has a variable specifying the malware\r\nversion. We found samples of the Airstalk .NET variant using versions 13 and 14.\r\nPersistence\r\nThe PowerShell variant uses a scheduled task for persistence that it removes when executing the Uninstall task shown in\r\nFigure 15.\r\nFigure 15. Airstalk PowerShell variant's uninstall code.\r\nHowever, Airstalk's .NET variant does not have a persistence mechanism. The .NET variant finishes its process execution\r\nand sets a flag in the custom attributes API endpoint as shown in Figure 16.\r\nFigure 16. Airstalk .NET variant's uninstall code.\r\nSigned Binaries and Timestamps\r\nAs a defense evasion attempt, binaries for Airstalk's .NET variant are signed with a (likely stolen) certificate signed by a\r\nvalid CA:\r\nOrganization: Aoteng Industrial Automation (Langfang) Co., Ltd.\r\nLocality: Langfang\r\nState: Hebei\r\nCountry: CN\r\nSerial Number: 29afb8d913db84fdb362f4fd927b8553\r\nValid From: Jun 28 10:04:49 2024 GMT\r\nValid To: Jun 28 03:29:37 2025 GMT\r\nHowever, this certificate was revoked about 10 minutes after its Valid From date:\r\nRevocation date: Jun 28 10:14:00 2024 GMT\r\nWe found two PE binaries used for testing that were signed with the same certificate and preserved the original timestamps,\r\nas Table 6 shows.\r\nSHA256 Compiled Signed\r\nFirst\r\nSubmitted\r\n0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde\r\n2024-06-\r\n28\r\n17:55:37\r\nUTC\r\n2024-07-\r\n03\r\n18:01:00\r\nUTC\r\n2024-07-03\r\n18:03:26\r\nUTC\r\n1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5\r\n2024-07-\r\n03\r\n20:37:08\r\nUTC\r\n2024-07-\r\n03\r\n20:39:00\r\nUTC\r\n2024-07-03\r\n20:43:31\r\nUTC\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 11 of 15\n\nTable 6. Information on testing PE binaries for Airstalk's .NET variant.\r\nAlthough the threat actor behind CL-STA-1009 modified the timestamps from later Airstalk .NET variant binaries, we can\r\nestablish a development timeline by using the signed timestamps, as shown below in Table 7.\r\nSHA256 Signed Compiled Debug\r\nFirst\r\nSubmitted\r\nDe\r\ndfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533\r\n2024-\r\n07-17\r\n20:00:00\r\nUTC\r\n2055-04-\r\n06\r\n21:31:42\r\nUTC\r\n2039-\r\n09-07\r\n07\r\n17:14:59\r\nUTC\r\n2024-12-\r\n17\r\n16:58:53\r\nUTC\r\n.NE\r\nvar\r\nb6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b\r\n2024-\r\n11-11\r\n00:12:00\r\nUTC\r\n2066-03-\r\n16\r\n05:36:50\r\nUTC\r\n2084-\r\n08-11\r\n21:19:12\r\nUTC\r\n2024-12-\r\n10\r\n00:03:03\r\nUTC\r\n.NE\r\nvar\r\n4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5\r\n2024-\r\n11-14\r\n00:21:00\r\nUTC\r\n2097-03-\r\n02\r\n00:38:35\r\nUTC\r\n2089-\r\n11-27\r\n15:10:05\r\n2089\r\nUTC\r\n2024-12-\r\n09\r\n13:39:25\r\nUTC\r\n.NE\r\nvar\r\n3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5 N/A N/A N/A\r\n2025-01-\r\n02\r\n17:35:47\r\nUTC\r\nPo\r\nvar\r\nTable 7. Development timeline based on the signed timestamps.\r\nAttribution and the Supply Chain\r\nBased on our internal assessment, we assess with medium confidence that a nation-state threat actor used Airstalk malware\r\nin a supply chain attack. We are tracking the identified activity as an activity cluster that we named CL-STA-1009.\r\nWe’ve followed a number of supply chain attacks over the past few years. Supply chain attacks target the goods and services\r\norganizations rely upon to perform their day-to-day activities. The supply chain includes hardware that comprises an\r\norganization’s infrastructure, cloud-based services trusted to manage an organization’s most sensitive data, and specialized\r\nstaff augmentation.\r\nThis last category, typically named business process outsourcing (BPO), creates the potential for extensive damage when\r\ntargeted by attackers. Hardware and software can be monitored, controlled and provisioned. However, human assets —\r\nparticularly highly specialized ones — must often be granted extensive access to critical business systems. Additionally, they\r\nare often working from equipment managed by their own organizations. Because they are managed by the BPO, this\r\neffectively places them out of reach of the majority of your organization’s security controls.\r\nOrganizations specializing in BPO have become lucrative targets for both criminal and nation-state attackers. We’ve seen a\r\nnotable increase of attacks on BPOs as the source of intrusion in incidents we've seen over the past few years.\r\nBPOs typically leverage the economy of scale to have highly specialized talent service multiple clients concurrently. While\r\nthis can generate significant savings for both the BPO and its clients, it has the drawback of allowing the BPO to act as a\r\ngateway into multiple targets. Attackers are willing to invest generously in the resources necessary to not only compromise\r\nthem but maintain access indefinitely.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 12 of 15\n\nCL-STA-1009 is a threat activity cluster representing activity from a suspected nation-state actor. This cluster is associated\r\nwith Airstalk malware, which we assess with medium confidence adversaries used in supply chain attacks.\r\nThe .NET variant represents an evolution of the malware, featuring a multi-threaded C2 protocol, versioning, beaconing and\r\nmore complex, compound tasks. This malware employs defense evasion techniques, including using signed binaries with a\r\nrevoked certificate that appears to have been issued to a legitimate organization in 2024. These evasion techniques also\r\ninclude the manipulation of PE timestamps, although signing timestamps help establish a timeline of activity. The malware's\r\ncapabilities and adaptive nature highlight the persistent threat posed by the threat actor behind CL-STA-1009.\r\nThe evasion techniques employed by this malware allow it to remain undetected in most environments. This is particularly\r\ntrue if the malware is running within a third-party vendor’s environment. This is particularly disastrous for organizations that\r\nuse BPO because stolen browser session cookies could allow access to a large number of their clients. Stolen screenshots\r\nand logged keystrokes can reveal sensitive and proprietary information not only for the victim, but the victim's customers as\r\nwell.\r\nLong-term monitoring allows a determined attacker to understand how the business operates and how the BPO organization\r\ntypically interacts with its customers, making it less likely that follow-on intrusions would be detected. The key to\r\nidentifying and protecting organizations from these types of attacks is to expand security focus from typical indicators and\r\naccess control to understanding how users typically work, both internally and externally.\r\nHowever, the differences in patterns between how an attacker behaves and how your users typically behave will eventually\r\nreveal them if you know what to watch for. These differences are what you must identify and act on using behavioral\r\nmonitoring tools tuned to spot subtle anomalies.\r\nPalo Alto Networks customers are better protected from Airstalk malware through the following products:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light\r\nof the indicators shared in this research.\r\nCortex XDR and XSIAM help prevent malware by employing the Malware Prevention Engine. This approach\r\ncombines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local\r\nAnalysis module, to help prevent both known and unknown malware from causing harm to endpoints.\r\nPrisma Browser helps protect against attacks like Airstalk in several ways:\r\nFirst, it detects and blocks malicious file downloads through the built-in Advanced WildFire threat detection\r\nengine.\r\nSecond, its layered protection model isolates all browser data and files from the underlying endpoint,\r\npreventing local malware from accessing cookies, history or credentials.\r\nFinally, Prisma Browser continuously validates device posture, ensuring that the right EDR is installed, active\r\nand healthy before allowing access to sensitive applications.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use\r\nthis intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn\r\nmore about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nIoC Type Description\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 13 of 15\n\n0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde SHA256 Signed test sample\r\n1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5 SHA256 Signed test sample\r\ndfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533 SHA256 Airstalk .NET sample\r\nb6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b SHA256 Airstalk .NET sample\r\n4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5 SHA256 Airstalk .NET sample\r\n3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5 SHA256\r\nAirstalk PowerShell\r\nsample\r\nCode signing certificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIIF/DCCA+SgAwIBAgIQKa+42RPbhP2zYvT9knuFUzANBgkqhkiG9w0BAQsFADB7\r\nMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x\r\nETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2ln\r\nbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI0MDYyODEwMDQ0OVoXDTI1\r\nMDYyODAzMjkzN1owgfkxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVIZWJlaTERMA8G\r\nA1UEBwwITGFuZ2ZhbmcxOjA4BgNVBAoMMUFvdGVuZyBJbmR1c3RyaWFsIEF1dG9t\r\nYXRpb24gKExhbmdmYW5nKSBDby4sIEx0ZC4xGzAZBgNVBAUTEjkxMTMxMDAwTUEw\r\nQTNIRjhYOTE6MDgGA1UEAwwxQW90ZW5nIEluZHVzdHJpYWwgQXV0b21hdGlvbiAo\r\nTGFuZ2ZhbmcpIENvLiwgTHRkLjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRp\r\nb24xEzARBgsrBgEEAYI3PAIBAxMCQ04wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASf\r\nB2NdKWXwGa7DkmCA5NiX+kQh5JkYBjGKJgSRz5BflX/Bo+/pXKfN8fsUOe5J3k+y\r\nv/XX53ZiHRJMmpWSjEHXyDFHbBco1hksVLOoeaTFHx65sh5eysXxwD3bwn1IzSCj\r\nggGpMIIBpTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDa9Sf8xLOuvakD+mcAW\r\n7br8SN1fMH0GCCsGAQUFBwEBBHEwbzBLBggrBgEFBQcwAoY/aHR0cDovL2NlcnQu\r\nc3NsLmNvbS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMu\r\nY2VyMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcHMuc3NsLmNvbTBfBgNVHSAEWDBW\r\nMAcGBWeBDAEDMA0GCyqEaAGG9ncCBQEHMDwGDCsGAQQBgqkwAQMDAjAsMCoGCCsG\r\nAQUFBwIBFh5odHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwEwYDVR0lBAww\r\nCgYIKwYBBQUHAwMwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybHMuc3NsLmNv\r\nbS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMuY3JsMB0G\r\nA1UdDgQWBBQdt2jU+7Pr64QrUIvuU1nojIqttzAOBgNVHQ8BAf8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggIBAMBeOg1geZaMToh9XVF2rrQQRXArYYQKi5svgEX6YcjC\r\nZljQZzBo8wIyvyyeJ7x33ThTTbPpukggrKE2p019jGjlKQMjWoA1leRatuyrMPVT\r\nw5+Vs/RCEogg1X/n6wmvTUUNvLCv6iDgT3/ZFrm7jIJKrwMkt/HbuGE/AB3w/Hfk\r\ntnDcWbMii58+HmuDbPRtfvKe1p9IZ6EbxdAVRrOg/unECl4JC9gdzma0DbD6HhmY\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 14 of 15\n\nAgaCEoqBds59ghNjN2y/QpMiAvrUBpX6p4pJzIedj5cJ/WID0QgalIWpOI18rRfP\r\nLkh6p02s5nmbSZKQQFtjPNCew65shUgCFdiV/mnFVPbI76o4N41c2z+AEqODk6fI\r\nQUEeCr8Ny/Ro6ijXhycFvcN/YS9mLeiZ43cyEx9iylGskYY7wbPUblzNAF5NzxuK\r\njp/EBCUmCoj/q43D2u/ldB9ND4yaiaRmMMte8BVjSoU9xUUss7a5vft51ONTWtWS\r\nO8Hbs4pnGcPCjewTdrgDqKYcLOPFN4M04kQHaQqQyQaY9Sff6/2c16Sh4rmErluQ\r\nlIbNggl4sHlpMObqSqPnkJy8ClBFr7ah7AH8k6hzyQheh1rXUtmK0TSCbywsLFfH\r\nnGbFSa72+9mByBCUH3ckD+Nnv73dtRdH9/M7+Oq+71BJQmMwmuMXPi450vTM4HIP\r\n-----END CERTIFICATE-----\r\nSource: https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nhttps://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/"
	],
	"report_names": [
		"new-windows-based-malware-family-airstalk"
	],
	"threat_actors": [
		{
			"id": "577d8706-75a5-40d5-bc2d-c10b49d17984",
			"created_at": "2026-02-11T02:00:03.951092Z",
			"updated_at": "2026-04-10T02:00:03.974854Z",
			"deleted_at": null,
			"main_name": "CL-STA-1009",
			"aliases": [],
			"source_name": "MISPGALAXY:CL-STA-1009",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434866,
	"ts_updated_at": 1775791925,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38595b9f8616d668140c579d598e002cf9c84c20.pdf",
		"text": "https://archive.orkl.eu/38595b9f8616d668140c579d598e002cf9c84c20.txt",
		"img": "https://archive.orkl.eu/38595b9f8616d668140c579d598e002cf9c84c20.jpg"
	}
}