In late 2025, cybersecurity researchers uncovered a new and highly sophisticated malware family dubbed Airstalk, which is posing significant risks to enterprise environments worldwide. This Windows-based malware demonstrates advanced tactics by abusing legitimate mobile device management (MDM) APIs to establish stealthy command-and-control channels and exfiltrate sensitive data, notably targeting business process outsourcing (BPO) providers and their client networks.
What is Airstalk?
Airstalk exists in two main variants: a PowerShell-based loader and a more advanced .NET backdoor. Both variants misuse the VMware Workspace ONE Unified Endpoint Management (formerly AirWatch) API to carry out covert communications with attacker-controlled infrastructure. Unlike typical malware networks that rely on suspicious or blocked communication channels, Airstalk blends its command and control (C2) traffic into legitimate enterprise MDM operations, making detection much more difficult.
Who is Targeted and Why?
The primary targets are BPOs, which play a critical role in supporting multiple organizations with IT, customer support, and finance functions. By infecting BPO endpoints, attackers gain a wide foothold across many downstream clients, magnifying the reach and impact of their espionage activities. The suspected actor behind Airstalk, tracked as CL-STA-1009, exhibits hallmarks of a sophisticated nation-state group with probable ties to China, notably utilizing a stolen, quickly revoked code-signing certificate to evade detection.
How Does Airstalk Work?
- Malware Variants & Capabilities:
- The PowerShell variant supports tasks including screenshot capture, stealing cookies and browsing data from Google Chrome, file enumeration, and self-uninstallation.
- The .NET variant greatly expands capabilities by multi-threaded C2 communication, targeting additional browsers like Microsoft Edge and Island Browser, and exfiltrating large blobs of data such as screenshots and browser session information.
- Covert C2 Channel:
Airstalk cleverly uses the MDM API’s features — such as managing custom device attributes and uploading file blobs — to carry commands and exfiltrate data encoded as JSON. This “dead drop” communication mimics normal device management traffic, evading typical network security controls. - Persistence and Stealth:
The malware maintains persistence using scheduled tasks and employs digital signatures from revoked certificates to appear legitimate. This operational finesse complicates incident response and detection efforts.
Implications for Organizations
Airstalk reveals a new dimension of supply chain attacks where trusted enterprise management infrastructure like Workspace ONE can be weaponized. Security teams must focus on monitoring unusual API activities, validating code signatures, and scrutinizing BPO vendor environments and supplier chains for suspicious behaviors.
Defending Against Airstalk
- Conduct thorough audits of MDM API usage, focusing on custom device attribute changes and blob uploads.
- Employ behavioral analysis to detect anomalies in enterprise management traffic.
- Verify digital signatures on binaries and raise alerts on revoked or unexpected certificates.
- Engage with incident response experts if compromise is suspected, especially in environments using VMware Workspace ONE.
In conclusion, Airstalk exemplifies how advanced threat actors innovate by blending attacks into trusted infrastructure, raising the bar for defense in modern enterprise ecosystems. Staying informed and vigilant around supply chain and MDM-related threats is critical to protecting organizational data and operations.
