Nation-State Hackers Deploy New Airstalk Malware in Supply Chain Attack

2 Nov 2025

malwaresupply chain attackMDMnation-state actorcybersecurityAirstalkAirWatchCL-STA-1009Palo Alto Networks

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk, which is believed to be part of a supply chain attack. The group, tracked by Palo Alto Networks Unit 42 as CL-STA-1009, is suspected of state-sponsored motivation. Airstalk hijacks the AirWatch API for mobile device management (MDM), potentially allowing the attacker to gain control over managed devices. This attack highlights the growing threat of supply chain attacks and the importance of securing MDM solutions. Cybersecurity professionals should ensure that their MDM solutions are properly secured and monitored for signs of compromise. The use of a supply chain attack suggests that the attacker is looking to maximize their impact and potentially gain access to a large number of targets. This incident underscores the need for organizations to secure their third-party vendors and service providers and to have plans in place to respond to supply chain attacks.