Airstalk is a sophisticated malware family deployed by a suspected nation-state actor cluster tracked as CL-STA-1009. It leverages the AirWatch API, now known as Workspace ONE Unified Endpoint Management, to create a covert command-and-control (C2) channel by abusing the API’s custom device attributes and file upload features. This approach allows the malware to blend C2 communications into legitimate MDM traffic, complicating detection. The malware has two main variants: a PowerShell version and a more capable .NET version. The PowerShell variant uses the "/api/mdm/devices/" endpoint to communicate, sending commands and receiving task instructions such as taking screenshots, harvesting cookies, browser history, bookmarks, and enumerating user files. The .NET variant expands capabilities by targeting additional browsers like Microsoft Edge and Island, an enterprise-focused browser, and mimics a legitimate AirWatch helper utility to evade suspicion. It supports multi-threaded execution for managing C2 tasks, exfiltrating debug logs, and beaconing. Some samples are signed with a likely stolen certificate from a Chinese company, enhancing their legitimacy. Persistence is achieved via scheduled tasks in the PowerShell variant, while the .NET variant lacks a clear persistence mechanism, possibly relying on stealth and legitimate API abuse. The malware’s ability to exfiltrate large data blobs via the MDM API and its targeting of enterprise browsers indicates a focus on stealing sensitive session cookies and browser data, which could grant attackers access to multiple client accounts in BPO environments. The supply chain nature of the attack remains unclear, but the targeting of MDM infrastructure and enterprise browsers suggests a strategic approach to infiltrate organizations through trusted third-party vendors. The malware’s evasion techniques and use of legitimate management APIs make it difficult to detect with traditional security tools, posing a significant risk to organizations relying on Workspace ONE MDM and enterprise browsers.

European organizations, especially those in the BPO sector that rely heavily on Workspace ONE MDM and enterprise browsers like Island, Microsoft Edge, and Chrome, face significant risks from Airstalk. The malware’s ability to steal browser session cookies and other sensitive data can lead to unauthorized access to client accounts, resulting in data breaches, intellectual property theft, and reputational damage. The supply chain nature of the attack means that even organizations with strong internal security could be compromised via trusted third-party vendors. This could disrupt business operations, cause regulatory compliance issues under GDPR due to data leakage, and lead to financial losses from remediation and potential legal penalties. The stealthy use of legitimate APIs and stolen certificates complicates detection and response, increasing dwell time and potential damage. The targeting of enterprise browsers used in corporate environments also raises concerns about widespread credential theft and lateral movement within networks. Overall, the threat could undermine trust in managed service providers and complicate supply chain security for European enterprises.

European organizations should implement enhanced monitoring of Workspace ONE Unified Endpoint Management API usage, focusing on anomalous custom attribute modifications and unexpected file uploads. Deploy network traffic analysis tools capable of detecting unusual patterns in MDM API communications. Enforce strict code-signing certificate validation and monitor for the use of certificates from unexpected or suspicious sources. Conduct regular audits of scheduled tasks and persistence mechanisms on endpoints, especially those managed via MDM. Employ endpoint detection and response (EDR) solutions with behavioral analytics tuned to detect unusual browser data access and exfiltration attempts. Segment networks to limit lateral movement from compromised devices and restrict access to sensitive browser profiles and session data. Collaborate closely with third-party vendors and BPO providers to ensure their environments are secured and monitored for signs of compromise. Implement multi-factor authentication (MFA) on all critical systems and browser sessions to reduce the impact of stolen cookies. Regularly update and patch MDM infrastructure and enterprise browsers to minimize vulnerabilities. Finally, conduct threat hunting exercises focused on detecting Airstalk indicators and similar API abuse techniques.