The Reveal Platform
Intel Name: Suspected nation-state threat actor uses new airstalk malware in a supply chain attack
Date of Scan: October 30, 2025
Impact: High
Summary: We have identified a new Windows-based malware family, dubbed Airstalk, which exists in both PowerShell and .NET variants. Our assessment, with medium confidence, suggests that a nation-state threat actor may have deployed this malware as part of a probable supply chain attack. To monitor and analyze related activity, we have established the threat activity cluster CL-STA-1009. Airstalk exploits the AirWatch API—now known as Workspace ONE Unified Endpoint Management (UEM)—to create a covert command-and-control (C2) channel. It leverages the API’s features for managing custom device attributes and file uploads to facilitate its communication and persistence mechanisms.
