🇨🇳 CN1 malware familyExploits CVEs in the wild

CL-STA-0046

Also known asCL-STA-0046

CL-STA-0046 is a threat actor tracked under the alias CL-STA-0046. Based on the provided content, it has been associated with use of the open-source tunneling tool EarthWorm. Palo Alto Networks / Unit 42 noted that EarthWorm has reportedly been used by the actor behind CL-STA-0046, and also described EarthWorm as previously associated with several China-linked threat actors including APT41, CL-STA-0046, and Volt Typhoon. EarthWorm is an open-source SOCKS5 proxy and port-forwarding utility that supports Windows, Linux, macOS, and ARM/MIPS platforms and can enable covert communications and lateral movement. No additional high-confidence details about CL-STA-0046’s targets, sub-groups, or broader operations are directly provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0011

Command and Control

1 technique

T1090×2

Proxy

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EarthwormAfter exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.2May 7, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2026-0300Unauthenticated RCE in Palo Alto PAN-OS User-ID Authentication Portal (Captive Portal)In the wildEvidence1

Palo Alto Networks believes the in-the-wild exploitation of a zero-day vulnerability (CVE-2026-0300) in its firewalls is likely the work of state-sponsored threat actors. CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software, and can be exploited by unauthenticated attackers sending specially crafted packets to internet-facing User-ID Authentication Portals.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security affairsNews

May 7, 2026

Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks

Referenced as a China-linked activity cluster previously associated with use of the EarthWorm tunneling tool in past attacks.

help net securityNews

May 7, 2026

State-sponsored hackers likely behind zero-day attacks on Palo Alto firewalls - Help Net Security

Referenced as a threat actor previously associated with use of the EarthWorm network tunneling tool.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.