Long‑Term CL‑UNK‑1068 Campaign Exploits DLL Sideloading and Custom Proxies

Palo Alto Networks’ Unit 42 uncovered a previously undocumented threat actor group, labeled CL‑UNK‑1068, that has been compromising high‑value organizations in energy, finance, healthcare, and government sectors for at least three years. The group relies on DLL sideloading to embed malicious code within legitimate binaries, evading traditional signature‑based detection. A custom reverse‑proxy network routes command‑and‑control traffic through compromised hosts, obscuring the attacker’s infrastructure and making network‑level alerts difficult to trigger.

The operation has achieved long‑term persistence, enabling credential theft, lateral movement, and exfiltration of proprietary data and intellectual property. Defenders should focus on detecting anomalous DLL loading behaviors, scrutinizing unexpected proxy traffic, and enforcing strict application whitelisting and network segmentation. Early disruption of the proxy tunnels can sever the attacker’s foothold, reduce data loss, and protect critical infrastructure from further compromise.

Categories: Threat Intelligence, Malware & Ransomware

Source: Read original article