Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/China-Linked Hackers Target Southeast Asian Military Systems in Ongoing Espionage Campaign
Threats

China-Linked Hackers Target Southeast Asian Military Systems in Ongoing Espionage Campaign

Key Takeaways A persistent cyber espionage campaign, dubbed CL-STA-1087, has targeted military organizations in Southeast Asia since at least 2020. The threat actor, assessed with moderate confidence...

Emy Elsamnoudy
Emy Elsamnoudy
March 25, 2026 4 Min Read
43 0

Key Takeaways

  • A persistent cyber espionage campaign, dubbed CL-STA-1087, has targeted military organizations in Southeast Asia since at least 2020.
  • The threat actor, assessed with moderate confidence to be linked to China, focuses on strategic and operational intelligence gathering.
  • Attackers employ custom backdoors (AppleChris, MemFun) and a modified credential-theft tool (Getpass) to maintain stealth and persistence.
  • The campaign utilizes sophisticated evasion techniques, including delayed execution, in-memory malware, and DLL hijacking.

China-Linked Cyber Espionage Campaign Targets Southeast Asian Military Systems

A protracted and sophisticated cyber espionage operation, identified as CL-STA-1087, has been systematically compromising military networks across Southeast Asia since at least 2020. This campaign is believed, with moderate confidence, to be orchestrated by a China-aligned threat actor, with its primary objective being the acquisition of strategic and operational intelligence rather than mass data exfiltration.

Table Of Content

  • Key Takeaways
  • China-Linked Cyber Espionage Campaign Targets Southeast Asian Military Systems
  • Initial Detection and Evasion Tactics
  • Lateral Movement and Target Prioritization
  • Persistence Mechanisms
  • Custom Backdoors and Credential Theft
  • AppleChris Backdoor
  • MemFun Backdoor
  • Getpass Credential Theft
  • What You Should Do

The attackers have demonstrated a strong emphasis on maintaining stealth and persistence within compromised environments. They achieve this through a combination of custom-developed tools and meticulous operational security practices designed to evade detection over extended periods.

Initial Detection and Evasion Tactics

The CL-STA-1087 campaign first surfaced when endpoint security tools detected unusual PowerShell activity on an unmanaged system within a targeted military network. Investigators quickly determined that this was not a new intrusion but rather an ongoing operation where the attackers had already established a firm foothold.

The threat actors deployed delayed execution scripts that communicated with multiple command-and-control (C2) servers. A key evasion technique involved programming these scripts to “sleep” for six-hour intervals between actions. This deliberate delay helps them bypass automated detection systems that look for sudden bursts of activity, allowing their operations to blend in with normal network traffic.

Analysts at PolySwarm confirmed the active role of AppleChris, the primary backdoor used in this espionage campaign, after identifying samples of the malware.

Lateral Movement and Target Prioritization

Following an initial quiet period, the threat actors reactivated their operations and began moving laterally throughout the compromised networks. They leveraged legitimate Windows functionalities, specifically Windows Management Instrumentation (WMI) and native .NET commands, to propagate their malware.

High-value targets within the military infrastructure were prioritized, including domain controllers, critical web servers, IT workstations, and executive systems. This focused targeting, particularly on Command, Control, Communications, Computers, and Intelligence (C4I) systems, underscores the strategic nature of the intelligence gathering objective.

Palo Alto’s Unit 42 has also reported on this activity, providing further insights into the campaign’s breadth and technical sophistication. The group’s operational patterns consistently align with UTC+8 business hours, and their infrastructure includes cloud services hosted in China. Furthermore, elements of the C2 environment contained Simplified Chinese language, collectively pointing to a China-nexus origin for the threat actors, although no specific group has been formally attributed.

Persistence Mechanisms

The CL-STA-1087 campaign employs robust persistence strategies. Attackers create new Windows services and utilize DLL hijacking by strategically placing malicious DLL files within the system32 directory. These malicious DLLs are then registered through legitimate Windows services, enabling them to execute discreetly and maintain a long-term presence within the compromised environment without triggering alarms.

Custom Backdoors and Credential Theft

The toolkit at the heart of this campaign is designed for stealth and endurance.

AppleChris Backdoor

AppleChris, the primary backdoor, dynamically retrieves its C2 server addresses from platforms like Pastebin, and in earlier versions, also from Dropbox. This “Dead Drop Resolver” (DDR) technique allows the malware to fetch encrypted connection data at runtime. The retrieved data is Base64-decoded and then decrypted using an embedded RSA-1024 private key, effectively preventing static network indicators from being easily discovered by defenders. Once active, AppleChris facilitates file operations, process enumeration, and remote shell execution via custom HTTP verbs.

MemFun Backdoor

The secondary backdoor, MemFun, is engineered to operate entirely in memory, significantly complicating its detection on disk. Its infection chain typically begins with a file masquerading as GoogleUpdate.exe, which then launches an in-memory downloader. This downloader fetches the final DLL payload from the C2 server. MemFun employs several stealth techniques, including timestomping, process hollowing into dllhost.exe, and reflective DLL loading. Session-specific Blowfish keys are used to ensure that each payload exchange is uniquely encrypted, further enhancing its evasiveness.

Getpass Credential Theft

Credential theft is managed by Getpass, a modified version of the well-known Mimikatz tool. This variant operates silently, extracting plaintext passwords, NTLM hashes, and authentication tokens directly from the lsass.exe process. Unlike standard Mimikatz, Getpass runs automatically and stores the stolen data in a file named WinSAT.db, mimicking a legitimate Windows system file to further avoid detection.

What You Should Do

  • Implement strict monitoring of PowerShell and WMI activity across all endpoints and servers.
  • Apply DLL search order hardening to mitigate risks associated with DLL hijacking.
  • Monitor all attempts to access the Local Security Authority Subsystem Service (LSASS) process for unusual activity.
  • Regularly audit and manage unmanaged endpoints, ensuring comprehensive security coverage.
  • Deploy advanced endpoint detection and response (EDR) solutions capable of detecting in-memory threats and sophisticated evasion techniques.
  • Enforce multi-factor authentication (MFA) across all critical systems and accounts to limit the impact of stolen credentials.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Pay2Key Ransomware Targets Linux Servers, Virtualization, and Cloud Workloads

Next Post

Open Directory Malware Campaign Delivers RAT Payloads via VBS and PNG Loaders

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us