Palo Alto Networks has identified a new Chinese state-sponsored operation using a malware family called Airstalk to infiltrate business process outsourcing (BPO) providers as a conduit into their enterprise clients. The campaign leveraged PowerShell and .NET variants, abused AirWatch’s MDM API for covert C2, and used stolen signing certificates and timestamp manipulation to evade detection.
You can read Palo Alto’s report here: Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
VP of Cyber Risk for HITRUST, Tom Kellermann had this to say:
“The Airstalk campaign demonstrates China’s continued pivot toward deep supply-chain infiltration, targeting BPOs as operational beachheads to silently reach their clients’ networks. By abusing AirWatch’s MDM API and pairing PowerShell and .NET implants with stolen certificates and timestamp tampering, Chinese operators are weaponizing trusted enterprise mobility infrastructure as covert C2 channels. This is calculated espionage, not opportunism. BPOs are trust concentrators, and once breached, they provide a direct path into multiple U.S. corporate environments. We must elevate third-party security monitoring, particularly API abuse detection and certificate validation, or these persistent access campaigns will proliferate unchecked across the economy.”
This highlights the threats that a supply chain attack can pose. It also shows the lengths that an organization will go to execute their plans. This attack is multi-layered which makes it harder to defend against. But not impossible if you take a more holistic view to securing your organization.
Related
This entry was posted on November 4, 2025 at 9:40 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Palo Alto Report Outlines China’s Airstalk Supply-Chain Attack Campaign
Palo Alto Networks has identified a new Chinese state-sponsored operation using a malware family called Airstalk to infiltrate business process outsourcing (BPO) providers as a conduit into their enterprise clients. The campaign leveraged PowerShell and .NET variants, abused AirWatch’s MDM API for covert C2, and used stolen signing certificates and timestamp manipulation to evade detection.
You can read Palo Alto’s report here: Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
VP of Cyber Risk for HITRUST, Tom Kellermann had this to say:
“The Airstalk campaign demonstrates China’s continued pivot toward deep supply-chain infiltration, targeting BPOs as operational beachheads to silently reach their clients’ networks. By abusing AirWatch’s MDM API and pairing PowerShell and .NET implants with stolen certificates and timestamp tampering, Chinese operators are weaponizing trusted enterprise mobility infrastructure as covert C2 channels. This is calculated espionage, not opportunism. BPOs are trust concentrators, and once breached, they provide a direct path into multiple U.S. corporate environments. We must elevate third-party security monitoring, particularly API abuse detection and certificate validation, or these persistent access campaigns will proliferate unchecked across the economy.”
This highlights the threats that a supply chain attack can pose. It also shows the lengths that an organization will go to execute their plans. This attack is multi-layered which makes it harder to defend against. But not impossible if you take a more holistic view to securing your organization.
Share this:
Like this:
Related
This entry was posted on November 4, 2025 at 9:40 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.