An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Since at least 2020 Unit 42 has tracked CL-UNK-1068, a Chinese‑language threat cluster targeting critical sectors across South, Southeast and East Asia; the report details a multi‑platform espionage toolkit (web shells like GodZilla/AntSword, DLL side‑loading using Python binaries, custom ScanPortPlus scanner, custom FRP tunneling with unique tokens/passwords, Xnote backdoor), credential‑theft and exfiltration methods, exploitation of PwnKit (CVE‑2021‑4034) and CVE‑2023‑34048, and provides comprehensive IOCs (hashes, IPs) and defensive recommendations.