China-Linked Hackers Breach SE Asian Military in Spy

A sophisticated and enduring cyber espionage campaign, known as CL-STA-1087, has covertly targeted military organizations throughout Southeast Asia since at least 2020.

The operation, assessed with moderate confidence to be linked to a China-aligned threat actor, focuses on collecting strategic and operational intelligence rather than simply stealing large amounts of data.

The attackers prioritized staying hidden, using custom-built tools and careful techniques to avoid detection over time.

The campaign first came to light when endpoint security tools flagged suspicious PowerShell activity on an unmanaged endpoint within a targeted military network.

Investigators quickly realized this was not a fresh intrusion — the attackers had already established a foothold, running delayed execution scripts that connected back to multiple command-and-control (C2) servers.

These scripts were designed to sleep for six-hour intervals between actions, a deliberate move to slip past automated detection tools that watch for unusual spikes in activity.

PolySwarm analysts identified samples of the primary backdoor used in this campaign, AppleChris, confirming its active role in the espionage operation.

After going quiet for several months, the threat actors re-emerged and began moving laterally across the compromised networks.

They used Windows Management Instrumentation (WMI) and native Windows .NET commands to spread malware to domain controllers, web servers, IT workstations, and executive systems — all high-value targets within a military environment.

Their focus on Command, Control, Communications, Computers, and Intelligence (C4I) systems reveals how deliberate this operation truly was.

Palo Alto’s Unit 42 reported on this activity, shedding more light on the scope and sophistication of the campaign.

The attackers used three main tools: AppleChris and MemFun as custom backdoors, and Getpass, a modified version of the well-known credential-theft tool Mimikatz.

Their operational patterns consistently aligned with UTC+8 business hours, and their infrastructure included China-based cloud services, with Simplified Chinese language elements found within parts of the C2 environment.

While no specific group has been formally named, these indicators collectively point to a China-nexus origin.

The campaign’s persistence strategy was equally deliberate. Attackers created new Windows services and performed DLL hijacking by placing malicious DLL files inside the system32 directory, registering them through legitimate Windows services to blend in.

These methods gave the threat actors a stable, long-term presence within compromised environments, letting them operate quietly in the background without raising alarms.

Custom Backdoors and Credential Theft

At the core of this campaign sits a layered toolkit built for stealth and longevity. AppleChris, the primary backdoor, retrieved its C2 server addresses dynamically from Pastebin, and earlier versions also used Dropbox.

This approach, known as a Dead Drop Resolver (DDR) technique, allowed the malware to fetch encrypted connection data at runtime.

The retrieved data was Base64-decoded and then decrypted using an embedded RSA-1024 private key, meaning no static network indicators were left for defenders to find.

Once fully active, AppleChris supported file operations, process enumeration, and remote shell execution through custom HTTP verbs.

The secondary backdoor, MemFun, was built to run entirely in memory, making it much harder to detect on disk.

Its infection chain started with a file disguised as GoogleUpdate.exe, which launched an in-memory downloader that fetched a final DLL payload from the C2 server.

MemFun used timestomping, process hollowing into dllhost.exe, and reflective DLL loading to stay hidden, while session-specific Blowfish keys ensured each payload exchange was uniquely encrypted.

Credential theft was handled by Getpass, which silently pulled plaintext passwords, NTLM hashes, and authentication tokens from the lsass.exe process.

Unlike standard Mimikatz, this variant ran automatically and saved stolen data to a file named WinSAT.db, mimicking a legitimate Windows system file.

Organizations in the defense sector should enforce strict monitoring of PowerShell and WMI activity, apply DLL search order hardening, and monitor all LSASS access attempts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.