Airstalk Malware: Nation-State Threat Exploits VMware AirWatch for Covert Attacks

In a worrying revelation for cybersecurity professionals, researchers at Palo Alto Networks’ Unit 42 have identified a highly sophisticated malware family named Airstalk, linked to a suspected nation-state operation labeled under cluster CL-STA-1009. This malware demonstrates advanced evasion techniques and a focus on supply chain attacks, targeting business process outsourcing (BPO) providers and managed service entities. By hijacking legitimate VMware AirWatch (now Workspace ONE UEM) Mobile Device Management (MDM) APIs, Airstalk establishes covert channels for command-and-control (C2) communications, blending seamlessly into trusted enterprise traffic and avoiding conventional security detection mechanisms.

Airstalk Overview and Capabilities

Airstalk is a dual-language malware, written in both PowerShell and .NET, designed to exploit enterprise MDM systems. Its PowerShell variant communicates through the AirWatch MDM API endpoint /api/mdm/devices/, using custom device attributes as a covert “dead drop” to exchange encrypted C2 messages. Each message is Base64-encoded and tied to unique UUIDs, effectively identifying compromised systems while evading standard monitoring. Additional malicious uploads, including screenshots and stolen files, are disguised through the /api/mam/blobs/uploadblob endpoint, appearing as normal MDM activity.

The malware follows a structured C2 protocol with message types such as CONNECT, CONNECTED, ACTIONS, and RESULT, which allow operators to issue commands ranging from file enumeration and Chrome cookie theft to screenshot captures. A review of sample tasks shows several unimplemented functions, suggesting a modular design and ongoing development to expand capabilities.

The .NET variant of Airstalk exhibits further sophistication, supporting additional browsers like Microsoft Edge and Island Browser. It operates three concurrent threads dedicated to C2 tasking, beaconing, and debugging. New message types such as MISMATCH, DEBUG, and PING provide functionality for version tracking and keep-alive communications. The malware can retrieve browser data, bookmarks, files, screenshots, and even open arbitrary URLs. Its deliberate use of structured UUID suffixes, like -kb, -kr, and -kd, indicates an organized and methodical C2 protocol design.

Significantly, some Airstalk samples were signed with a revoked certificate issued to Aoteng Industrial Automation, timestamped between June and November 2024, illustrating advanced operational planning consistent with persistent threat campaigns. Unit 42 assesses with medium confidence that this cluster represents a nation-state operation leveraging trusted MDM infrastructure to exfiltrate sensitive information from BPO and managed service providers. The targeting of these third-party service providers highlights the rising attractiveness of supply chain attacks as a means to compromise multiple downstream targets.

What Undercode Say:

Airstalk represents a concerning evolution in malware design, particularly for enterprises relying heavily on MDM systems like VMware AirWatch. By leveraging legitimate management APIs for covert communications, it bypasses conventional network monitoring tools, demonstrating the growing sophistication of nation-state threats. Traditional endpoint detection may not flag this activity since the malware operates within expected enterprise traffic patterns, highlighting a shift from blunt-force attacks toward stealth and precision in cyber espionage.

The dual-language approach—PowerShell for rapid deployment and .NET for sustained, multi-threaded operations—reflects a modular strategy designed for both flexibility and resilience. Modular malware frameworks allow attackers to incrementally update functionality without reintroducing detection risk, suggesting that Airstalk may continue to evolve to target more browsers, cloud services, or MDM functionalities. The use of UUIDs and structured suffixes for C2 communications underscores the meticulous planning behind the operation, indicating a team with significant resources and operational security awareness.

Furthermore, the targeting of BPO and managed service providers signals an emerging trend in supply chain exploitation. These entities often serve multiple enterprise clients, making them high-value targets; compromising one provider can potentially grant access to numerous downstream organizations. Airstalk’s method of embedding exfiltration within legitimate MDM traffic also highlights the importance of analyzing metadata and device behavior rather than relying solely on signature-based detection.

From a defensive standpoint, organizations should consider enhanced monitoring of MDM API interactions, implement stricter certificate validation protocols, and conduct frequent audits of device activity logs. Behavioral analytics, anomaly detection, and threat-hunting exercises focusing on unusual Base64-encoded exchanges or atypical API calls could be vital in identifying such covert operations before significant data loss occurs.

In essence, Airstalk is not just another malware family—it is a sophisticated tool designed to exploit trusted enterprise infrastructure for stealthy, high-value data theft. Its emergence underscores the increasing intersection of supply chain security and nation-state cyber operations, reminding organizations that modern threats often hide in plain sight within trusted services.

🔍 Fact Checker Results

✅ Airstalk malware abuses VMware AirWatch MDM APIs for covert C2 communications.
✅ Some malware samples were signed with a revoked certificate issued to a Chinese firm.
❌ There is no public evidence of large-scale impact beyond targeted BPO and managed service providers.

📊 Prediction

💻 Expect a rise in supply chain-focused malware campaigns targeting third-party managed service providers.
🔐 Enterprises may increasingly adopt behavioral and API-level monitoring to detect covert MDM-based exfiltration.
⚠️ Modular malware like Airstalk could expand to other management platforms, making cross-platform MDM security a critical concern.