A suspected China-based cyber espionage campaign has been targeting Southeast Asian military organizations since at least 2020, according to Palo Alto Networks Unit 42. The operation, tracked under the codename CL-STA-1087, appears to be state-backed and highly strategic.
Targeted Intelligence Gathering
Security researchers Lior Rochberger and Yoav Zemah report that the threat actors focused on highly specific military files rather than bulk data theft. Targets included information about organizational structures, joint operations with Western armed forces, and military capabilities, particularly systems related to command, control, communications, computers, and intelligence (C4I).
Malware Tools and Attack Techniques
The threat cluster employed multiple malware families, including:
- AppleChris: A backdoor deployed via DLL hijacking, capable of drive enumeration, file upload/download, remote shell execution, and silent process creation. Some variants fetch C2 addresses from Dropbox or Pastebin, with execution delays to bypass sandbox monitoring.
- MemFun: A modular malware platform that uses a multi-stage loader, in-memory downloader, and process hollowing techniques to remain stealthy. It retrieves configuration from Pastebin, communicates with C2 servers, and can execute additional payloads dynamically.
- Getpass: A custom version of Mimikatz used to escalate privileges and extract plaintext passwords, NTLM hashes, and authentication data from the memory of
lsass.exe.
Operational Security and Persistence
Researchers noted that the attackers exhibited high operational patience, maintaining dormant access for months to perform precision intelligence collection. Techniques such as sandbox evasion, delayed execution timers, and modular payload delivery allowed the malware to remain undetected and flexible over extended periods.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
