Cybersecurity researchers have uncovered a long-running cyber espionage campaign believed to be linked to Chinese threat actors targeting military organizations across Southeast Asia.
The operation, tracked as CL-STA-1087, was identified by researchers from Palo Alto Networks Unit 42. Investigators say the activity reflects a state-backed intelligence operation focused on collecting highly specific military information rather than conducting widespread data theft.
Targeted Military Intelligence Collection
According to analysts, the attackers demonstrated patience and precision, infiltrating military networks to search for sensitive documents related to:
- Military capabilities and strategic planning
- Organizational structures within armed forces
- Collaboration with Western military partners
- Command, control, communications, computers, and intelligence (C4I) systems
Researchers noted that the campaign appears designed for long-term surveillance rather than immediate disruption.
Custom Malware Tools Used in the Campaign
The attackers deployed several custom malware tools to maintain access and harvest data from compromised systems. These include:
- AppleChris – a backdoor designed for remote command execution
- MemFun – a modular malware framework capable of downloading additional payloads
- Getpass – a credential-stealing tool based on Mimikatz
These tools enable attackers to perform tasks such as file manipulation, remote shell execution, process monitoring, and system reconnaissance.
How the Attack Works
The exact entry point used to compromise the targeted networks remains unknown. However, researchers observed suspicious scripts executed through PowerShell.
Infected systems would run scripts that remained dormant for several hours before establishing a connection with attacker-controlled servers.
Once inside the network, the attackers spread laterally across devices and deployed variants of AppleChris to maintain persistence while avoiding detection.
Dead Drop Technique Used for Command Servers
Both AppleChris and MemFun rely on a clever method known as a dead drop resolver to locate their command-and-control (C2) infrastructure.
Instead of embedding server addresses directly in the malware, the attackers store encrypted instructions on public platforms such as Pastebin. In some cases, the malware also retrieves configuration data from Dropbox.
This technique allows attackers to easily update their infrastructure without modifying the malware itself.
Advanced Evasion Techniques
The malware includes several methods designed to avoid detection by security systems.
For example, certain variants delay their execution to bypass automated malware analysis environments, which typically monitor programs for only short periods.
In another tactic, the MemFun malware injects its payload into the memory of the legitimate Windows process dllhost.exe using a method known as process hollowing, allowing it to run under the appearance of a trusted system program.
Credential Theft and Privilege Escalation
To gain deeper access to targeted systems, the attackers also used the Getpass tool to extract authentication data from the Windows lsass.exe process.
This process can reveal:
- Plaintext passwords
- NTLM password hashes
- Other authentication credentials
With these credentials, attackers can escalate privileges and access additional systems within a network.
Long-Term Espionage Strategy
Researchers say the attackers behind CL-STA-1087 showed a high level of operational discipline. In some cases, they maintained dormant access to compromised networks for months while quietly gathering intelligence.
Security analysts warn that the campaign highlights the growing use of advanced cyber espionage techniques in geopolitical conflicts, particularly in regions where military cooperation with Western nations is expanding.
