Unit 42 has uncovered a previously unknown Windows‑based malware family named **Airstalk**. The samples come in both PowerShell and .NET variants and exhibit a consistent set of capabilities. Unit 42 assigns medium confidence that a nation‑state threat actor deployed the malware in a **supply chain attack** aimed at exfiltrating sensitive browser data. Airstalk exploits the AirWatch (now Workspace ONE Unified Endpoint Management) API to establish a covert command‑and‑control channel. The malware leverages the API’s ability to manage custom device attributes and upload files, allowing it to operate undetected while transmitting stolen data back to the attacker. The malware’s primary goal is to exfiltrate browser credentials and other sensitive data stored on the target systems. Unit 42 has created the threat activity cluster **CL-STA‑1009** to monitor and track any further related activity. While the full range of functions is not yet fully mapped, the existing samples already demonstrate a sophisticated supply‑chain exploitation strategy. **Key takeaways for organizations:** 1. Monitor for unusual AirWatch API activity, especially custom attribute changes or file uploads. 2. Implement strict controls around supply‑chain software updates. 3. Maintain up‑to‑date endpoint protection capable of detecting PowerShell and .NET-based threats. Staying vigilant against Airstalk and similar supply‑chain threats is critical for defending against sophisticated nation‑state actors.