The Telecom Threat: Liminal Panda’s Covert Campaign Targets Southeast Asian Critical Infrastructure
Experts at Palo Alto Networks’ Unit 42 have uncovered a new cyber-espionage campaign targeting the telecommunications sector in Southeast Asia. At the heart of these operations lies a threat actor identified as CL-STA-0969, closely affiliated with the Chinese espionage cluster known as Liminal Panda. Between February and November 2024, the group orchestrated a series of precision intrusions into critical communications infrastructure, with a clear emphasis on achieving persistent access while eluding conventional detection systems.
CL-STA-0969 demonstrated a remarkably high level of operational stealth. Across every phase of the intrusion, meticulous efforts were made to erase digital footprints: event logs were wiped, superfluous executables deleted, SELinux protections disabled, and process names crafted to mimic legitimate services. Command and control traffic was obfuscated through DNS tunneling and routed via compromised mobile operators, masking its true origin.
Initial access was typically achieved through brute-force SSH attacks. Once a host was compromised, attackers deployed a chain of custom malware components. Among them was AuthDoor, an authentication module hardcoded with a fixed password and designed to emulate tools linked to UNC1945. This was followed by Cordscan, a network scanner with packet capture capabilities previously attributed to Liminal Panda, and GTPDOOR—a bespoke backdoor engineered to interact with systems adjacent to roaming GPRS nodes.
Particularly notable is EchoBackdoor, a passive implant that responds to ICMP requests. It extracts commands from network packets and transmits the results back via unencrypted ICMP responses, deftly bypassing traditional monitoring solutions. To further entrench itself within network infrastructure, the group deployed an SGSN emulator, known as sgsnemu, which enables traffic tunneling and circumvents firewall restrictions.
Also featured in the group’s arsenal is ChronosRAT—a modular spyware platform offering capabilities such as keylogging, screenshot capture, remote shell access, file exfiltration, and proxying. Another tool, NoDepDNS (also referred to as MyDns), written in Go, leverages raw sockets to passively intercept DNS-based command instructions on port 53.
Beyond their custom tools, the attackers employed a suite of utilities, including Microsocks, Fast Reverse Proxy (FRP), ProxyChains, FScan, and Responder, as well as exploits targeting vulnerabilities in UNIX-like systems: CVE-2016-5195 (Dirty COW), CVE-2021-4034 (PwnKit), and CVE-2021-3156 (Baron Samedit). These were used to escalate privileges and secure persistence across compromised environments.
Despite the operation’s extensive toolkit, Unit 42 emphasizes that no evidence of data exfiltration has been observed. Likewise, there are no signs that the attackers attempted to monitor or communicate with internal operator devices.
Based on the tools and techniques observed, CL-STA-0969 appears to occupy a nexus of several known clusters. In addition to Liminal Panda, its operations overlap with LightBasin (UNC1945)—active since 2016 and infamous for targeting telecom networks—and UNC2891, a group focused on banking systems, particularly ATM infrastructure.
Palo Alto stresses that CL-STA-0969’s campaign reflects a sophisticated understanding of telecommunications protocols and mobile network architecture. This deep knowledge enables the actors to integrate seamlessly into operator environments, leveraging obscure protocols and trusted network nodes for proxying—rendering detection extraordinarily difficult.