Sign In
Chinese Threat Group CL-UNK-1068 Targets Critical Infrastructure Across Asia in Years-Long Campaign
Back to top
March 30, 2026
Chinese Threat Group CL-UNK-1068 Targets Critical Infrastructure Across Asia in Years-Long Campaign
A persistent and wide-ranging cyber-espionage campaign linked to Chinese operatives has been quietly infiltrating the backbone of Asian industry for over five years, according to new security intelligence.
The group, tracked by researchers as CL-UNK-1068, has successfully compromised a "who’s who" of high-value targets across the aviation, energy, government, telecommunications, pharmaceuticals, and technology sectors. Since 2020, the group’s primary objective appears to be deep-rooted persistence, granting them a "backdoor" into the critical systems that power South and Southeast Asia.How CL-UNK-1068 Executes Multi-Phase Cyberattacks to Evade Detection
Researchers say that the group deploys a deliberate, staged attack sequence designed to evade detection at every phase. Each stage subtly extends control without drawing attention. Initial access: Initial access is typically gained through the exploitation of web servers, followed by the deployment of web shells to secure a long-term base for operations. Because these tools piggyback on standard web protocols, the group is able to mask its presence within the high volume of daily server traffic, effectively neutralizing traditional detection methods.Lateral movement: By leveraging administrative tools and scripts, like web shells and community-shared utilities, attackers move laterally within the network under the guise of legitimate activity, effectively bypassing traditional security alerts.
Credential theft: Attackers then steal credentials with tools like Mimikatz and LsaRecorder so they can access additional accounts and systems —gaining higher-level privileges that enable deeper control across the network.Data exfiltration: To evade detection, attackers often use web shells to exfiltrate data as Base64-encoded text. This technique disguises archives as simple text output, allowing the transfer to stay under the radar of monitoring tools that flag unusual file movements. Persistence: To maintain access over time, the attackers load malicious code through trusted Python programs and use a modified network tunneling tool (in this instance, Fast Reverse Proxy) to communicate with compromised systems so their activities look like normal, legitimate processes. How to Defend Against Sophisticated Stealth Tactics
Threat groups like CL-UNK-1068 are masters of the "gray space." They don't just break in; they blend in, using legitimate administrative tools and encrypted traffic to hide their presence within the daily noise of your operations.
This camouflage makes it difficult enough for traditional tools to spot a problem, but the challenge deepens when security layers operate in isolation.
Because most tools evaluate events in a vacuum, a single run of Mimikatz or an unusual network scan can easily be dismissed as a routine admin task. The true threat only becomes visible when you connect these dots.
Without a unified view, what is actually a coordinated, multi-stage intrusion remains hidden as a series of unrelated, low-priority alerts. To stop a stealthy actor, defenders must move beyond asking "what ran?" and start correlating the where, when, and why across the entire environment.
Lessons from the CL-UNK-1068 Campaign The campaign by CL-UNK-1068 is a masterclass in patience and camouflage. By exploiting the gaps between siloed security tools, these actors have managed to reside within critical infrastructure for years.
However, their strength – blending into routine operations – is also their eventual undoing. When we move away from investigating "point-in-time" alerts and start analyzing the narrative of the attack, the camouflage begins to fail.
Modernizing defenses means moving beyond basic detection; it requires a unified visibility layer that can correlate the subtle breadcrumbs of lateral movement and credential theft into a single, recognizable sequence. To stay ahead of groups like CL-UNK-1068, it’s time to stop looking at the dots and start connecting them.
Critical infrastructure remains a primary target for threat actors. Explore our UNC3886 analysis to learn how to defend against similar tactics
Discover more
ExtraHop is on a mission to arm security teams to confront active threats and stop breaches. Our RevealX™ 360 platform, powered by cloud-scale AI, covertly decrypts and analyzes all cloud and network traffic in real time to eliminate blind spots and detect threats that other tools miss. Sophisticated machine learning models are applied to petabytes of telemetry collected continuously, helping ExtraHop customers to identify suspicious behavior and secure over 15 million IT assets, 2 million POS systems, and 50 million patient records.
Learn more at our about us page.
Share
Key Takeaways
- Chinese Threat Group CL-UNK-1068 has spent the last five years infiltrating critical infrastructure sectors throughout South and Southeast Asia.
- The attackers gain initial entry by exploiting web servers and hiding their presence within normal daily internet traffic.
- Once inside, CL-UNK-1068 uses legitimate administrative tools to move through the network without triggering security alarms.
- The group steals login credentials to gain higher privileges and reach the most sensitive internal systems.
- They disguise stolen data as simple text files to sneak information out past standard monitoring tools.
- Stopping stealthy actors means correlating subtle behavioral signals into one coherent attack narrative.
