
CL-STA-1132
State-sponsored threat cluster exploiting PAN-OS zero-day since April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Which government is behind CL-STA-1132 and how many networks are compromised?
Timeline for CL-STA-1132
Mentioned in: Splunk lands its first-ever KEV entry
Cybersecurity: Threats and DefencesExploited CVE-2026-0300 since 16 April, injecting shellcode and destroying forensic logs
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmedWho is behind CL-STA-1132?
How long was CL-STA-1132 inside PAN-OS networks before detection?
What tools does CL-STA-1132 use after gaining access?
Background
CL-STA-1132 is a state-sponsored intrusion cluster named by Palo Alto Networks' Unit 42 for its active exploitation of CVE-2026-0300, an unauthenticated RCE flaw in PAN-OS captive portal. Unit 42 confirmed exploitation running since 16 April 2026, with tradecraft including shellcode injected into nginx worker processes, Active Directory enumeration via the firewall's own service account, and methodical destruction of crash logs, kernel messages, and ptrace evidence.
The cluster employs open-source lateral-movement tools EarthWorm and ReverseSocks5 to mask command-and-control traffic. Log destruction is the most operationally significant behaviour: by wiping crash logs and ptrace artefacts, the cluster forces incident responders to rely on memory forensics and network telemetry rather than standard host-based evidence. Attribution of the cluster to a specific nation-state has not been publicly confirmed; the designation "state-sponsored" reflects the sophistication and target selection.
CL-STA-1132 represents the escalating pattern of state actors weaponising perimeter-device vulnerabilities before patches are available. Its activity predated the CISA KEV listing by three weeks, meaning defenders relying on KEV timelines alone had no effective warning. The cluster is currently active and its full victim scope is not publicly known.