Threat Research Center Threat Research Malware Malware An Investigation Into Years of Undetected Operations Targeting High-Value Sectors 16 min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex XDR Cortex XSIAM Next-Generation Firewall Next-Generation Firewall VM series By: Tom Fakterman Published: March 6, 2026 Categories: Malware Threat Research Tags: China CL-UNK-1068 DLL Sideloading Fast Reverse Proxy ScanPortPlus Xnote Share Executive Summary Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. Unit 42 is tracking this ongoing, previously undocumented activity as CL-UNK-1068. We designate the term UNK to clusters of activity whose affiliation with either nation-state or cybercrime activity we have not yet determined. We assess with high confidence that the attackers behind CL-UNK-1068 are a Chinese threat actor. This assessment is based on the origin of their tools, linguistic artifacts in configuration files, and their consistent, longstanding targeting of critical infrastructure in Asia. We assess with moderate-to-high confidence that the primary objective of the attackers is cyberespionage, although we cannot fully rule out the possibility of cybercriminal motivation at this time. Through a long period of close observation, we identified the specific tools and techniques that define this group. Our attribution of this activity to CL-UNK-1068 is done in accordance with Unit 42’s attribution framework . We provide a detailed analysis of the attack patterns and methods that we identified in our investigation into this cluster of activity. Palo Alto Networks customers are better protected from the threats described through the following products and services: Advanced URL Filtering and Advanced DNS Security Next-Generation Firewall (NGFW) with Advanced Threat Prevention Advanced WildFire Cortex XDR and XSIAM If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics China , CL-UNK-1068, DLL Sideloading , Backdoors Technical Analysis Overview We provide a detailed analysis of the tool set deployed by the attackers behind CL-UNK-1068 across different intrusion campaigns since 2020. While these attacks demonstrate a consistent set of techniques and procedures (TTPs), it is important to note that not every tool was used in every observed intrusion. Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities and living-off-the-land binaries (LOLBINs). These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments. The CL-UNK-1068 activity cluster is characterized by cross-platform cyber capabilities, maintaining a diverse set of tools for both Windows and Linux environments. Their TTPs rely heavily on open-source utilities and malware variants popular with Chinese-speaking users, including GodZilla , AntSword , Xnote and Fast Reverse Proxy (FRP). One of the techniques we observed in these attacks is the use of legitimate Python executables to launch DLL side-loading attacks. This approach enables the attackers to stealthily load additional payloads. Initial Access and Web Shell Deployment The initial access to environments targeted in CL-UNK-1068 activity is achieved by deploying and utilizing various web shells. We observed the attackers deploying the GodZilla web shell, and a variation of AntSword, both of which are written in a combination of English and Simplified Chinese. After gaining an initial foothold, the attackers use these web shells to move laterally to additional hosts and SQL servers. Figure 1 shows an alert that was triggered when an attacker attempted to exploit a Linux server. Figure 1. Cortex XDR alert indicating Linux webserver exploitation, triggered by CL-UNK-1068 activity. Exfiltrating Configuration Files for Access and Sensitive Data After gaining access to targeted environments, the attackers attempt to steal the following files from the c:\inetpub\wwwroot directory of a Windows web server: web.config .aspx .asmx .asax .dll The attackers could use this stolen information to extract credentials for lateral movement, or to discover vulnerabilities in the website's code. The alert in Figure 2 shows that the attackers archived the stolen files under the names web.rar, web1.rar and web2.rar . Figure 2. Cortex XDR alert showing the attackers archiving files for exfiltration under c:\inetpub\wwwroot . After moving to additional servers, the attackers continued to steal files related to the website’s configuration, such as .json files from the c:\inetpub\wwwroot directory, including the appsettings.json file. In multiple instances, the attackers used a simple but effective approach to exfiltrate files: Using WinRAR to archive the relevant files. Executing the certutil -encode command to Base64-encode the .rar archives. Executing the type command to print the Base64 content to their screen through the web shell. By encoding the archives as text and printing them to their screen, the attackers were able to exfiltrate data without actually uploading any files. The attackers likely chose this method because the shell on the host allowed them to run commands and view output, but not to directly transfer files. Figure 3 shows the alert triggered by the data exfiltration activity. Figure 3. Cortex XDR alert showing the attackers exfiltrating archived files. In addition to stealing configuration files, the attackers stole other types of sensitive data: Browser history and web browser bookmarks Sensitive XLSX and CSV files from desktops and USER directories .bak files from MSSQL servers (database backup files) In certain instances, the attackers deployed usql , a universal command-line interface for multiple databases. The use of this interface may indicate that one of the goals of CL-UNK-1068 activity is to extract data directly from SQL servers. Tool Set We analyzed the most noteworthy tools and utilities that the attackers behind CL-UNK-1068 used across multiple intrusion campaigns since 2020. A detailed analysis of additional tools and utilities used during this activity is provided in Appendix B . DLL Side-Loading Using Legacy Python Programming Language Executables In attacks that we observed, the attackers behind CL-UNK-1068 frequently used DLL side-loading to execute their tool set. They deployed a legitimate Python programming language executable like python.exe or pythonw.exe alongside a malicious side-loaded DLL that served as a loader, using a name like python20.dll . The attackers also dropped an obfuscated shellcode file with a similar name, to match the legitimate executable naming convention (e.g., python or pythonw ). When the legitimate python.exe is executed, it side-loads a malicious loader named python20.dll . The malicious loader reads the obfuscated shellcode, deobfuscates it in memory, and then executes it within the memory space of the legitimate Python process. The shellcode then decrypts and executes the payload in memory. The attackers used this technique to load and execute several tools as payloads, including FRP , PrintSpoofer and a custom scanner that they named ScanPortPlus. Figure 4 shows the legitimate python.exe process used to read shellcode from a file named python and execute a decrypted payload for ScanPortPlus in memory. Figure 4. Cortex XDR alert showing that python.exe reads shellcode from the python file and executes the decrypted ScanPortPlus in memory. ScanPortPlus: A Custom Multi-Platform Scanning Toolkit The attackers behind CL-UNK-1068 scanned compromised networks using a custom scanner that they internally named ScanPortPlus. This custom tool is written in Go , and the threat actor compiled versions for both Windows and Linux systems. Figure 5 shows the command-line options of ScanPortPlus, which include IP address, port and vulnerability scanning. Figure 5. ScanPortPlus command-line options. Communication Tunneling: Custom FRP Variant with Unique Identifiers In some of the events that we observed, the attackers deployed FRP , to establish persistent access while bypassing firewalls. The attackers used versions of their own custom-compiled FRP for Windows and Linux systems, including a custom FRP that had several unique identifiers: Unique authentication token: Attackers used the authentication token frpforzhangwei (“frp for zhang wei”). Zhang Wei is a common Chinese name. Proxy naming convention: The proxy names appear to have a consistent naming convention across the versions: Windows: 10014-win-nic-32-v Linux: 20012-linux-64-V 10013-linux-64-V Unique common password : The password for the FRP is the same in all samples that the threat actor used: f*ckroot123 (profanity masked). Figure 6 highlights the identifiers that we discovered in the FRP samples. Figure 6. Configuration from FRP samples used in CL-UNK-1068 activity. Deploying Xnote Linux Backdoor In some instances, the attackers behind CL-UNK-1068 deployed the Xnote malware on Linux servers. First discovered in 2015, Xnote is a Linux backdoor that various Chinese threat actors previously used . Xnote has several variants, each with slightly different functionality. The Xnote used by CL-UNK-1068 primarily provides distributed denial-of-service (DDoS) attack capabilities, in addition to other commands. Table 1 lists some of the capabilities of this Xnote variant. Internal Task Name Task Function 9CFileTask Interact with file system, upload and download files, execute shell commands 10CShellTask Reverse shell 10CProxyTask No current function; likely a remnant from previous versions, since r