Between February and November 2024, state-sponsored threat actor CL-STA-0969 linked to China-based espionage group Liminal Panda targeted telecommunications infrastructure in Southeast Asia to establish persistent access and conduct network surveillance. According to Palo Alto Networks’ Unit 42, attackers employed a range of custom implants and evasive techniques without evidence of data exfiltration.
Key tools used include AuthDoor (a PAM backdoor), Cordscan (mobile device geolocation), GTPDOOR (for telecom n\etworks), EchoBackdoor (ICMP-based C2), ChronosRAT (modular remote access tool), and DNS-based NoDepDNS. Attackers also leveraged reverse SSH tunnels, log wiping, and Linux privilege escalation exploits (e.g., Dirty COW, CVE-2021–4034, CVE-2021–3156). Traffic was tunneled using telecom infrastructure and disguised through DNS tunneling and process name spoofing.
The operation displayed strong OPSEC, clearing artifacts post-deployment, disabling SELinux, and avoiding detection. Tools and tactics overlap with clusters UNC1945, LightBasin, and UNC2891 highlighting shared capabilities across state-aligned APTs.
The disclosure follows China’s CNCERT accusing U.S. intelligence agencies of exploiting Microsoft Exchange zero-days to compromise military and research networks, further amplifying cyber tension between both nations. CL-STA-0969’s targeting of telecoms reveals a deep understanding of core infrastructure protocols and a strategic focus on long-term network access.
Source: https://thehackernews.com/2025/08/cl-sta-0969-installs-covert-malware-in.html
#CyberEspionage #APTActivity #LiminalPanda #CLSTA0969 #TelecomSecurity #NationStateThreats #ChinaAPT #NetworkSurveillance #PAMBackdoor #DNSExfiltration #EchoBackdoor #ChronosRAT #DirtyCOW #PrivilegeEscalation #OPSEC #DNSC2 #Unit42 #CyberThreatIntel #LinuxSecurity #GeopoliticalCyber
