Airstalk Malware Exploits VMware AirWatch MDM APIs for Covert C2 Operations

Researchers at Palo Alto Networks’ Unit 42 have uncovered a sophisticated malware family, Airstalk, deployed as part of a suspected nation-state operation tracked under the cluster CL-STA-1009.

The malware, written in both PowerShell and .NET, appears to have been used in a likely supply chain attack targeting business process outsourcing (BPO) providers and managed service entities.

Airstalk abuses VMware’s AirWatch Mobile Device Management (now Workspace ONE UEM) API to establish covert command-and-control (C2) communications.

By exploiting legitimate AirWatch endpoints and device attribute functionality, the malware bypasses typical security monitoring and blends into trusted enterprise traffic. Some samples were even signed with a likely stolen digital certificate to evade detection.

Abusing AirWatch’s MDM API for Covert C2

The PowerShell variant of Airstalk communicates over the AirWatch MDM API at /api/mdm/devices/, using custom device attributes as a…