Nation-State Hackers Deploy “Airstalk”: What Tech Leaders Must Know Now

November 1, 2025 Faeem BLOGS 0

Security researchers link a suspected state-backed cluster (Unit 42’s CL-STA-1009) to a new malware family named Airstalk. The malware abuses the AirWatch / Workspace ONE MDM API as a covert C2 channel, comes in PowerShell and .NET variants, and specializes in exfiltrating browser artifacts (cookies, bookmarks, history) and screenshots — making it a powerful tool for long-term access and lateral compromise. The distribution vector looks like a supply-chain / third-party vendor compromise, which means organizations that rely on BPOs or managed services are particularly at risk. Below: what this does, why it matters, and what to do next — from bench to boardroom.

What is Airstalk?

Airstalk is a backdoor that abuses AirWatch / Workspace ONE mobile device management (MDM) APIs to hide command-and-control (C2) traffic inside legitimate-looking MDM API calls. Two variants have been observed:

  • PowerShell variant: Uses the /api/mdm/devices/ endpoint and the MDM custom attributes feature as a “dead drop” for commands and small data. Persists via scheduled tasks.
  • .NET variant: More feature-rich — targets additional enterprise browsers (Edge and Island), mimics an AirWatch helper binary, supports multiple message types (CONNECT/CONNECTED, ACTIONS, RESULT plus DEBUG/PING/MISMATCH), multi-threaded execution for task handling, exfiltration, and beaconing. Some .NET samples appear signed with a likely stolen certificate.

Capabilities include: taking screenshots, collecting browser cookies, enumerating and exfiltrating Chrome/Edge/Island profiles (bookmarks, history, cookies), listing user directories, uploading large outputs via MDM “blob” uploads, and self-uninstall.

Why this matters beyond the technical noise

  1. Covert use of trusted infrastructure. By piggybacking on MDM APIs, Airstalk blends malicious traffic with legitimate management operations. That reduces detection rates and increases dwell time.
  2. High-value data extraction. Browser cookies and session artifacts are gold for attackers — they can allow session hijacking, bypassing multi-factor protections, and impersonation of privileged users.
  3. Supply-chain and third-party risk. Targeting MDM flows and enterprise browsers suggests attackers may have seeded Airstalk via vendor environments or managed services (BPOs), giving them lateral reach across multiple client organizations.
  4. Persistence + stealth = long-term access. Multi-threaded C2, stolen certificates, and MDM-backed data channels are features you see when attackers aim for sustained espionage, not one-off ransomware.

Who should care (and why)

  • Security engineers & SOC analysts: This is a detection challenge — appearance in MDM logs, unusual blobs/uploads, or anomalous use of custom attributes are high-value telemetry.
  • IT / Endpoint teams: Browser session hygiene, certificate inventory, and removal or restrictive configuration of legacy MDM features are immediate areas to review.
  • Product/security vendors & integrators (BPOs): You are potential force-multipliers for attackers; vendor security posture must be demonstrable and tight.
  • CEOs & Boards: This is a reputational and operational risk. Stolen browser artifacts can expose customer and client accounts — meaning downstream legal, contractual, and client-trust implications.

Concrete detection and mitigation steps (technical checklist)

Detect

  • Monitor Workspace ONE / AirWatch API usage for anomalous patterns:
    • Unusual device IDs making frequent “custom attributes” GET/POSTs
    • Unexpected blob uploads (esp. binary blobs from endpoints that rarely upload files)
    • New or rare user agents or last-seen IPs interacting with MDM endpoints
  • Correlate MDM activity with endpoint process telemetry:
    • Suspicious PowerShell parentage, or a process running named AirwatchHelper.exe not matching known publisher signatures.
  • Hunt for signed binaries whose certificate chain is not typically used by your environment (possible stolen certificate).
  • Look for signs of cookie theft, e.g., sudden token reuse from diverse geolocations.

Contain

  • Throttle or temporarily disable non-essential blob uploads or custom attributes usage in your MDM policy until investigations complete.
  • Force logouts / session resets for high-risk web applications where cookie theft would be catastrophic.
  • Revoke and rotate any credentials or tokens used by the compromised marketing/MDM/service accounts.

Remediate

  • Reimage infected hosts when you find the backdoor; scheduled tasks, startup items, and persistence mechanisms must be removed.
  • Rotate certificates and revoke any suspected stolen certs in collaboration with your CA and partners.
  • Review third-party vendor access and implement least privilege for MDM API tokens; enforce short token lifetimes and scoped permissions.

Prevent

  • Enforce strong certificate and key lifecycle practices for all internal-facing tooling.
  • Segment vendor networks and restrict vendor access to production systems using zero-trust network access (ZTNA).
  • Regularly audit and rotate service/API tokens used by vendors and marketing/MDM systems.
  • Mandate vendor security attestations, scanning, and breach-disclosure SLAs in contracts with BPOs and managed-service providers.

Talking to the board / non-technical leadership (60-second script)

“We’ve seen a sophisticated malware family called Airstalk that uses legitimate device-management APIs to hide its command traffic. Its main danger is quietly exfiltrating browser sessions and credentials via trusted vendor channels — meaning one compromised vendor can yield access across many client systems. I recommend we prioritize an immediate audit of our MDM and third-party API tokens, force session invalidation for critical apps, and brief our vendor partners to confirm they’re not affected.”

Example detection query / hunt (SOC-friendly)

  • Search MDM logs for POST/PUT to /api/mdm/devices/* with outgoing blob uploads > X KB and device IDs not present in baseline.
  • SIEM rule: if (workspace_one.api.customAttributesUsage > baseline * 5) and (blobUploadCount > threshold) then alert

(Adapt thresholds to your environment and baseline.)

Final thought — this is a vendor problem and your problem

Airstalk is a textbook example of attackers focusing on trust chains rather than raw exploits of hardened endpoints. If your organization relies on third-party MDM, marketing, or managed services, you must treat those trust relationships as first-class security controls. In other words: vendor security posture + telemetry hygiene = enterprise resilience.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.