Airstalk Malware Exploits AirWatch API in a Sophisticated Supply‑Chain Attack

TLDR

Airstalk is a new, nation‑state‑backed malware that abuses the AirWatch MDM API to create covert command‑and‑control channels.

It has PowerShell and .NET variants, steals browser data, and is aimed at business‑process‑outsourcing environments.

What happened

Security researchers at Palo Alto Networks discovered a malware family they named Airstalk. The code appears to be the work of a nation‑state group. The attackers used a supply‑chain technique to insert the payload into legitimate software updates. The entry point is the AirWatch API, which is used for mobile‑device‑management (MDM) by many enterprises.

Airstalk comes in two flavors. The first is a PowerShell script that runs in memory. The second is a compiled .NET binary. The .NET version is more feature‑rich. It can target Microsoft Edge and the Island browser. It can also manipulate browser cookies and session tokens.

Both variants share a core communication engine. The engine is multi‑threaded. It opens several parallel sockets to a remote server. The traffic is encrypted and disguised as normal HTTPS. This makes detection difficult. The engine can receive commands, execute them, and return results.

Typical commands include screenshot capture, file enumeration, and data exfiltration. The malware can also launch additional payloads. It can download and execute PowerShell scripts on the fly. It can also load .NET assemblies from the C2 server.

The distribution method is still unknown. Researchers have not seen a phishing email or a malicious download link. The supply‑chain compromise suggests the attackers compromised a trusted vendor that provides AirWatch integrations. The exact victims have not been disclosed.

Analysis of the code shows careful engineering. The developers avoided obvious strings. They used custom encryption for configuration data. They also employed anti‑debugging tricks. The malware checks for sandbox environments and aborts if it detects one.

Why it matters

Airstalk targets a critical piece of enterprise infrastructure. AirWatch is widely deployed for managing smartphones, tablets, and laptops. Compromise of the MDM API gives attackers a foothold on many devices at once. This amplifies the impact of a single breach.

The malware creates a stealthy C2 channel. The traffic blends with legitimate MDM communication. Traditional network sensors may miss it. This gives the attackers long‑term persistence.

Data theft is a primary goal. By harvesting browser cookies, the malware can hijack user sessions. It can also steal credentials stored in browsers. This opens the door to further lateral movement inside the victim network.

The focus on business‑process‑outsourcing (BPO) firms is significant. BPOs handle sensitive data for multiple clients. A breach in a BPO can cascade to many downstream organizations. The attackers can therefore affect a large supply chain.

The use of both PowerShell and .NET shows adaptability. PowerShell is native to Windows and often trusted. .NET binaries can run on a broader set of platforms. This dual approach increases the chances of successful infection.

Finally, the supply‑chain vector raises supply‑chain security concerns. Organizations may trust third‑party updates without verification. Airstalk demonstrates how a trusted update can become a delivery mechanism for espionage tools.

Who is affected

• Enterprises that use AirWatch or VMware Workspace ONE for mobile device management.
• Companies that rely on Microsoft Edge or Island browsers on managed devices.
• Business‑process‑outsourcing providers that manage client data across multiple industries.
• Any organization that integrates third‑party plugins or extensions into AirWatch.
• Security teams that have not segmented MDM traffic from other network flows.

Even organizations that do not use AirWatch directly may be at risk if they share a supply chain with a compromised vendor. The malware can spread laterally once inside a network. Therefore, the impact can extend beyond the immediate AirWatch user base.

How to check exposure

Start with an inventory of all AirWatch instances. Identify every server, appliance, and cloud tenant that hosts the MDM service. Verify the version and patch level.

Review the update logs for AirWatch components. Look for any unsigned or unexpected binaries that were installed around the time of the reported attack.

Search endpoint logs for the presence of the Airstalk PowerShell script. Use a hash‑based indicator such as the known SHA‑256 values published by Palo Alto Networks. Also search for the .NET binary name patterns that were observed.

Inspect network traffic that originates from AirWatch servers. Look for outbound HTTPS connections to unknown IP ranges or domains. Correlate these with the C2 indicators shared by the researchers.

Check browser data on managed devices. Look for abnormal cookie modifications or the creation of new browser profiles that were not provisioned by IT.

Use endpoint detection and response (EDR) tools to hunt for the multi‑threaded communication pattern. The malware opens several concurrent sockets to the same remote host. This pattern can be flagged as suspicious.

Finally, audit third‑party integrations with AirWatch. Verify the authenticity of any plugins, SDKs, or extensions. Ensure they are signed and sourced from trusted repositories.

Fast mitigation

1. Patch AirWatch immediately. Apply the latest security updates from VMware. If a patch is not yet available, disable any non‑essential API endpoints.
2. Revoke and rotate all AirWatch service accounts. Generate new credentials and enforce strong passwords or certificate‑based authentication.
3. Block known C2 domains and IP addresses. Add them to firewall deny lists. Use DNS filtering to prevent resolution of malicious hostnames.
4. Scan for the malware. Deploy an updated antivirus or EDR signature that includes the Airstalk hashes. Run a full system scan on all managed devices.
5. Isolate compromised hosts. If a device shows signs of infection, remove it from the network. Perform a forensic analysis before reconnecting.
6. Reset browser data. Clear cookies, cache, and saved passwords on all managed browsers. Force a re‑login for all users.
7. Enable network segmentation. Separate MDM traffic from general user traffic. Use VLANs or micro‑segmentation to limit lateral movement.
8. Monitor for anomalous behavior. Set up alerts for unusual API calls, multiple concurrent outbound connections, or unexpected PowerShell execution.
9. Update incident response playbooks. Include Airstalk indicators and the AirWatch supply‑chain scenario. Conduct tabletop exercises.
10. Engage the vendor. Notify VMware of the compromise. Request any additional hardening guidance they provide.

These steps reduce the attack surface quickly. They also buy time for a deeper investigation. Organizations should treat Airstalk as a high‑severity threat and act accordingly.