Chinese APT Behind Palo Alto Zero-Day Shares Tools With Volt Typhoon

The state-sponsored hackers exploiting Palo Alto Networks firewalls share tooling with known Chinese APT groups including Volt Typhoon and APT41, according to a threat brief published by Unit 42.

Palo Alto Networks' threat intelligence team is tracking the exploitation activity as CL-STA-1132, describing it as "likely state-sponsored threat activity" conducting cyber espionage. The group's use of Earthworm—an open-source tunneling tool previously deployed by CL-STA-0046, Volt Typhoon, UAT-8337, and APT41—provides the clearest attribution signal.

This attribution matters because it reveals the CVE-2026-0300 vulnerability isn't being exploited by opportunistic criminals but by a sophisticated actor with ties to groups known for targeting critical infrastructure.

Attack Timeline: A Month of Undetected Access

Unit 42's analysis shows attackers had nearly a month of access before public disclosure:

• April 9, 2026: Initial exploitation attempts detected—unsuccessful at first
• Week of April 16: Attackers achieved successful RCE, injecting shellcode into the nginx worker process
• Four days later (~April 20): Tools deployed with root privileges; Active Directory enumeration began
• April 29, 2026: SAML flood attack launched; second firewall compromised; tunneling tools downloaded

The operational tempo suggests methodical espionage, not a smash-and-grab operation. Unit 42 notes the group exhibited "operational restraint—specifically the use of non-persistent access windows" to maintain long-term residency without triggering alerts.

Post-Compromise Tradecraft

After gaining root access through the buffer overflow, CL-STA-1132 deployed two primary tools:

Earthworm: An open-source network tunneling tool that enables SOCKS5 proxy creation and port forwarding. This tool's use across multiple Chinese APT clusters makes it a significant attribution indicator. The threat actors downloaded it from a staging server at 146.70.100[.]69:8000/php_sess.

ReverseSocks5: An open-source tool that establishes outbound connections to create SOCKS5 tunnels for pivoting through internal networks. The attackers pulled the official release directly from GitHub.

Both tools were placed in temporary directories (/var/tmp/linuxap, /var/tmp/linuxda, /var/R5) and executed with root privileges inherited from the initial exploit.

The attackers also took steps to cover their tracks by clearing crash kernel messages, deleting nginx log entries, and removing core dumps that might have revealed exploitation artifacts.

Why Volt Typhoon and APT41 Links Matter

Volt Typhoon is known for pre-positioning in U.S. critical infrastructure networks, part of a broader pattern of Chinese APT activity targeting government and telecommunications sectors documented this year. APT41, also known as Winnti, conducts both state-sponsored espionage and financially motivated attacks.

The shared tooling doesn't necessarily mean CL-STA-1132 is the same group, but it suggests overlapping operational infrastructure or a common support ecosystem. Chinese APT groups frequently share tools, techniques, and even access to compromised targets.

Network security appliances like firewalls are particularly valuable targets for espionage actors because they provide visibility into all traffic passing through the network. A compromised firewall can serve as a long-term collection point without requiring persistence on individual endpoints. We've seen similar campaigns targeting Cisco appliances this year.

Indicators of Compromise

Unit 42 published the following IOCs for defenders:

Command and Control Infrastructure:

• 67.206.213[.]86
• 136.0.8[.]48
• 146.70.100[.]69 (staging server)
• 149.104.66[.]84

Malicious File Hash:

• e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (Earthworm)

File System Artifacts:

• /var/tmp/linuxap
• /var/tmp/linuxda
• /var/tmp/linuxupdate
• /tmp/.c (Python script)
• /tmp/R5 and /var/R5 (ReverseSocks5)

Organizations that have been running exposed User-ID Authentication Portals should hunt for these indicators even if they've implemented mitigations.

Over 5,400 Firewalls Still Exposed

Shadowserver tracking shows approximately 5,400 PAN-OS VM-series firewalls remain exposed to the internet with the vulnerable service accessible:

• 2,466 in Asia
• 1,998 in North America
• Remaining distributed across Europe and other regions

The Asia-heavy distribution aligns with CL-STA-1132's suspected Chinese origin—domestic infrastructure may be either intentionally excluded from targeting or operators have better visibility into regional deployments.

CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog on May 6, ordering federal agencies to apply mitigations by May 9. The tight three-day deadline—similar to the compressed timeline CISA set for FortiClient EMS in April—reflects the severity of active exploitation by a sophisticated threat actor.

What Organizations Should Do Now

Patches won't arrive until May 13 for most versions, with a second wave on May 28. Until then:

1. Restrict User-ID Authentication Portal to trusted zones only—this is the most effective mitigation
2. Disable the portal entirely if your organization doesn't actively use it
3. Hunt for IOCs listed above, especially the file paths and C2 addresses
4. Assume breach if your portal was internet-exposed before May 6 and conduct thorough forensics

The espionage focus of CL-STA-1132 means compromised organizations may not see immediate, obvious impact. These actors seek persistent access for intelligence collection, not ransomware deployment. That makes detection harder and the long-term consequences potentially more severe.

For organizations tracking Chinese threat actor activity, this incident reinforces a pattern: edge devices and network appliances remain priority targets because they offer both access and visibility without the detection risk of endpoint compromise.