Airstalk, AI Hijacks, and Cargo Theft in the Supply Chain

Show Notes

Today, we dissect how a suspected Chinese APT used the new 'Airstalk' malware to compromise BPOs in targeted supply chain attacks, and why the Claude AI model was successfully tricked into exfiltrating user data. Plus, we look at the rising threat of cybercriminals exploiting legitimate RMM tools to steal physical cargo from logistics networks.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the biggest headlines shaping the cybersecurity landscape. I’m your host, Mike Housch, and we’ve got a packed show today covering everything from sophisticated nation-state malware leveraging mobile APIs, to AI models being tricked into handing over user data, and how cybercriminals are turning digital breaches into physical cargo theft.

We’re starting off with a classic supply chain attack scenario, but with a novel twist in the command and control mechanism. Palo Alto Networks has reported on a suspected Chinese state-sponsored threat actor, tracked as CL-STA-1009, deploying a new malware family they’ve dubbed Airstalk.

Now, who are they targeting? They’re aiming squarely at Business Process Outsourcing, or BPO, entities. This makes perfect sense; BPOs are critical gateways into multiple client environments because they typically leverage the economy of scale to service many clients concurrently. Attackers are willing to invest generously in resources to not only compromise BPOs but to maintain access indefinitely. This makes them ideal targets for supply chain attacks.

The real digital shenanigan here is how Airstalk establishes covert communications. Airstalk, which comes in both PowerShell and .NET variants, abuses the AirWatch API used for mobile device management, or MDM, to establish a communication channel with its command-and-control server.

The PowerShell version is designed to receive commands to perform surveillance and data harvesting. It can take screenshots, list files in the user directory, list Chrome profiles, and harvest crucial data from Chrome, including cookies, bookmarks, and browser history. The .NET variant is even more sophisticated, using a slightly different communication protocol and targeting additional browsers like Microsoft Edge and Island Browser alongside Chrome. It can also open URLs in Chrome. Both variants were signed using likely stolen certificates and employ defense techniques, such as using a revoked certificate and altering timestamps to remain undetected within BPO networks. Palo Alto Networks assesses with medium confidence that adversaries used this activity cluster (CL-STA-1009) in supply chain attacks.

Next up, we’re pivoting to the rapidly evolving and sometimes precarious world of Artificial Intelligence security. A security researcher recently discovered a major method for data exfiltration using Anthropic’s Claude AI model APIs.

The core issue? Indirect prompt injection. This is essentially an attacker creating a malicious document that, when loaded by a user into Claude for analysis, hijacks the model. The exploit code then follows malicious instructions to harvest the user's data, save it to Claude’s Code Interpreter sandbox, and then call the Anthropic File API. The crucial detail is that the payload provides an attacker-owned API key, tricking Claude into uploading the sensitive file (which can be up to 30MB at once) directly to the attacker’s account.

The attack relies on Claude having network access, a feature enabled by default on certain plans meant to allow the model to access resources like code repositories. The researcher noted that this technique could be used to exfiltrate the user’s chat conversations, especially those saved using the newly introduced ‘memories’ feature. Interestingly, when the researcher first disclosed this to Anthropic, the report was closed, with the company explaining that it was a model safety issue, not a security vulnerability. However, following publication of the information, Anthropic notified the researcher that the data exfiltration vulnerability is in-scope for reporting. This highlights the ongoing confusion and debate in the industry about where 'safety' ends and 'security' begins when dealing with advanced generative AI models.

Moving from highly strategic nation-state attacks and AI exploits to pure cybercrime, we have a growing trend affecting the surface transportation industry: cybercriminals exploiting legitimate Remote Monitoring and Management, or RMM, tools to infiltrate logistics and freight networks.

Proofpoint has been tracking this threat cluster, which is believed to have been active since at least June 2025 and is reportedly collaborating with organized crime groups. The ultimate goal is financial gain and the theft of physical goods—specifically, plundering physical cargo freight, with food and beverage products being the most targeted commodities. The stolen cargo is often sold online or shipped overseas.

The attackers use several methods to gain entry. This includes hijacking existing conversations using compromised email accounts, targeting freight brokerage firms and integrated supply chain providers with spear-phishing emails, and, perhaps most cleverly, posting fraudulent freight listings using hacked accounts on load boards. Carriers who inquire about these fraudulent loads receive emails containing malicious URLs. These URLs lead to booby-trapped installers that deploy legitimate RMM tools such as SimpleHelp, ScreenConnect, PDQ Connect, N-able, LogMeIn Resolve, and Fleetdeck.

The use of RMM software gives the bad actors several significant advantages. First, they don't have to devise bespoke malware. Second, and perhaps more concerning for defenders, these tools are often not flagged as malicious by security solutions because they are signed, legitimate payloads common in enterprise environments, allowing the attackers to fly under the radar. Once inside, they perform reconnaissance, drop credential harvesting tools like WebBrowserPassView, and burrow deeper. In one particularly brazen case, the threat actor weaponized the access to delete existing bookings, block dispatcher notifications, and then added their own device to the dispatcher's phone extension to book and coordinate the transport of stolen loads. This shows a direct link between the digital breach and the physical, criminal outcome.

Finally, a few quick scoops we need to cover. First, good news for Chrome users. Google has released Chrome 142, patching 20 vulnerabilities, including seven high-severity flaws. Crucially, Google paid out $100,000 in bug bounty rewards for two high-severity V8 JavaScript engine defects: a type confusion issue (CVE-2025-12428) and an inappropriate implementation defect (CVE-2025-12429). The size of the payout suggests these bugs could potentially be exploited for Remote Code Execution. Separately, Google is making a major security change: starting next October with Chrome 154, the "Always Use Secure Connections" setting will be on by default. This means Chrome will warn users who try to visit a plain old HTTP page, adding friction but improving security across the board.

And speaking of secure connections, WhatsApp is rolling out passkey-encrypted backups for Android and iOS devices. Instead of relying on a password or a cumbersome 64-digit encryption key for cloud backups, users can now use a lockscreen code, fingerprint, or face recognition to protect those chat backups.

That’s a smart move in a world where phishing attempts, like the recent one targeting LastPass users with fake "proof of life" emails, are constantly seeking those cryptocurrency and sensitive credentials.

That wraps up this episode of Cyber Scoops & Digital Shenanigans. Stay vigilant, patch promptly, and keep your eye on your BPO partners. I’m Mike Housch, and we’ll catch you next time for more scoops and shenanigans.