Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure  Ravie Lakshmanan  Mar 09, 2026 Threat Intelligence / Web Security High-value organizations located in South, Southeast, and East Asia have been targeted by a Chinese threat actor as part of a years-long campaign. The activity, which has targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors, has been attributed by Palo Alto Networks Unit 42 to a previously undocumented threat activity group dubbed CL-UNK-1068 , where "CL" refers to "cluster" and "UNK" stands for unknown motivation. However, the security vendor has assessed with "moderate-to-high confidence" that the primary objective of the campaign is cyber espionage. "Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs)," security researcher Tom Fakterman said . "These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments." The tools are designed to target both Windows and Linux environments, with the adversary relying on a mix of open-source utilities and malware families such as Godzilla , ANTSWORD , Xnote, and Fast Reverse Proxy ( FRP ), all of which have been put to use by various Chinese hacking groups. While both Godzilla and ANTSWORD function as web shells, Xnote is a Linux backdoor that's been detected in the wild since 2015 and has been deployed by an adversarial collective known as Earth Berberoka (aka GamblingPuppet ) in attacks aimed at online gambling sites. Typical attack chains entail the exploitation of web servers to deliver web shells and move laterally to other hosts, followed by attempts to steal files matching certain extensions ("web.config," ".aspx," ".asmx," ".asax," and ".dll") from the "c:\inetpub\wwwroot" directory of a Windows web server likely in an attempt to steal credentials or discover vulnerabilities. Other files harvested by CL-UNK-1068 include web browser history and bookmarks, XLSX and CSV files from desktops and USER directories, and database backup (.bak) files from MS-SQL servers. In an interesting twist, the threat actors have been observed using WinRAR to archive the relevant files, Base64-encoding the archives by executing the certutil -encode command, and then running the type command to print the Base64 content to their screen through the web shell. "By encoding the archives as text and printing them to their screen, the attackers were able to exfiltrate data without actually uploading any files," Unit 42 said. "The attackers likely chose this method because the shell on the host allowed them to run commands and view output, but not to directly transfer files." One of the techniques employed in these attacks is the use of legitimate Python executables ("python.exe" and "pythonw.exe") to launch DLL side-loading attacks and stealthily execute malicious DLLs, including FRP for persistent access, PrintSpoofer , and a Go-based custom scanner named ScanPortPlus. CL-UNK-1068 is also said to have engaged in reconnaissance efforts using a custom .NET tool named SuperDump as far back as 2020. Recent intrusions have transitioned to a new method that uses batch scripts to collect host information and map the local environment. Also utilized by the adversary are a wide range of tools to facilitate credential theft - Mimikatz, to dump passwords from memory LsaRecorder , to hook LsaApLogonUserEx2 to record the WinLogon password DumpItForLinux and Volatility Framework to extract password hashes from memory SQL Server Management Studio Password Export Tool , to extract the contents of "sqlstudio.bin," which stores connection information for Microsoft SQL Server Management Studio (SSMS) "Using primarily open-source tools, community-shared malware and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations," Unit 42 concluded. "This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intentions." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Credential Theft , critical infrastructure , cyber espionage , cybersecurity , network security , Palo Alto Networks , Threat Intelligence , web security Trending News Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware and More ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit and 15+ Stories Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem How Exposed Endpoints Increase Risk Across LLM Infrastructure Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research