CL-STA-1132
State-sponsored threat cluster exploiting PAN-OS zero-day since April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Which government is behind CL-STA-1132 and how many networks are compromised?
Timeline for CL-STA-1132
Exploited CVE-2026-0300 since 16 April, injecting shellcode and destroying forensic logs
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed- Who is behind CL-STA-1132?
- Unit 42 designates CL-STA-1132 as state-sponsored but has not publicly attributed the cluster to a specific nation-state. The tradecraft suggests an advanced persistent threat actor with intelligence-collection objectives.Source: Unit 42 / Palo Alto Networks
- How long was CL-STA-1132 inside PAN-OS networks before detection?
- Unit 42 confirmed exploitation running from 16 April 2026. CISA added the vulnerability to KEV on 6 May, meaning the cluster had at least three weeks of undetected access before a federal mandate triggered patching.Source: Unit 42
- What tools does CL-STA-1132 use after gaining access?
- CL-STA-1132 injects shellcode into nginx worker processes, enumerates Active Directory via the firewall's service account, moves laterally using EarthWorm and ReverseSocks5, and destroys crash logs, kernel messages, and ptrace evidence.Source: Unit 42
- Why does CL-STA-1132 destroy logs?
- Log destruction forces incident responders to use memory forensics and network telemetry instead of standard host-based evidence, significantly slowing attribution and scope determination.Source: Unit 42
Background
CL-STA-1132 is a state-sponsored intrusion cluster named by Palo Alto Networks' Unit 42 for its active exploitation of CVE-2026-0300, an unauthenticated RCE flaw in PAN-OS captive portal. Unit 42 confirmed exploitation running since 16 April 2026, with tradecraft including shellcode injected into nginx worker processes, Active Directory enumeration via the firewall's own service account, and methodical destruction of crash logs, kernel messages, and ptrace evidence.
The cluster employs open-source lateral-movement tools EarthWorm and ReverseSocks5 to mask command-and-control traffic. Log destruction is the most operationally significant behaviour: by wiping crash logs and ptrace artefacts, the cluster forces incident responders to rely on memory forensics and network telemetry rather than standard host-based evidence. Attribution of the cluster to a specific nation-state has not been publicly confirmed; the designation "state-sponsored" reflects the sophistication and target selection.
CL-STA-1132 represents the escalating pattern of state actors weaponising perimeter-device vulnerabilities before patches are available. Its activity predated the CISA KEV listing by three weeks, meaning defenders relying on KEV timelines alone had no effective warning. The cluster is currently active and its full victim scope is not publicly known.