A sophisticated and long-running cyber espionage campaign, identified as CL-STA-1087, has been covertly targeting military organizations across Southeast Asia since at least 2020. The operation, with moderate confidence linked to a China-aligned threat actor, prioritizes the collection of strategic and operational intelligence over mass data exfiltration. The attackers have employed custom-built tools and meticulous techniques to maintain a low profile and avoid detection over an extended period.
The campaign initially surfaced when endpoint security tools detected unusual PowerShell activity on an unmanaged endpoint within a targeted military network. Investigations revealed that attackers had already established a persistent presence, utilizing delayed execution scripts that connected to multiple command-and-control (C2) servers. These scripts were intentionally designed with six-hour intervals between actions, a tactic aimed at evading automated detection systems that monitor for sudden bursts of activity.
Custom Backdoors and Credential Theft in China-Linked Spy Campaign
PolySwarm analysts identified key components of the operation, including a primary backdoor named AppleChris, confirming its central role in the extensive espionage efforts. Following a period of dormancy, the threat actors resumed their activities, initiating lateral movement across compromised networks. They leveraged Windows Management Instrumentation (WMI) and native Windows .NET commands to distribute malware to critical systems such as domain controllers, web servers, IT workstations, and executive-level systems – all considered high-value targets within a military context. The specific focus on Command, Control, Communications, Computers, and Intelligence (C4I) systems underscores the calculated and strategic nature of this operation.
Palo Alto Networks’ Unit 42 also reported on this activity, providing further insights into the campaign’s scope and advanced methodologies. The attackers deployed three principal tools: AppleChris and MemFun, both custom-built backdoors, and Getpass, a modified version of the widely recognized credential-theft tool Mimikatz. Operational patterns consistently correlated with UTC+8 business hours, and the associated infrastructure incorporated China-based cloud services. Additionally, simplified Chinese language elements were observed within parts of the C2 environment, collectively indicating a China-nexus origin for the threat group.
The campaign’s persistence mechanisms were equally sophisticated. Attackers established new Windows services and executed DLL hijacking by placing malicious DLL files within the system32 directory, subsequently registering them under legitimate Windows services to maintain stealth. These methods ensured the threat actors’ long-term presence within compromised environments, allowing them to operate discreetly and avoid triggering alarms.
Core Toolkit for Stealth and Longevity
At the heart of this operation lies a layered toolkit meticulously designed for stealth and sustained presence. AppleChris, the primary backdoor, dynamically retrieved its C2 server addresses from Pastebin, with earlier versions also utilizing Dropbox. This technique, known as a Dead Drop Resolver (DDR), enabled the malware to fetch encrypted connection data at runtime. The retrieved data was then Base64-decoded and decrypted using an embedded RSA-1024 private key, effectively eliminating static network indicators that defenders could use for detection. Upon full activation, AppleChris facilitated file operations, process enumeration, and remote shell execution via custom HTTP verbs.
The secondary backdoor, MemFun, was engineered to operate entirely in memory, significantly increasing its evasion capabilities and reducing its discoverability on disk. The infection chain commenced with a file disguised as GoogleUpdate.exe, which initiated an in-memory downloader responsible for fetching a final DLL payload from the C2 server. MemFun employed timestomping, process hollowing into dllhost.exe, and reflective DLL loading techniques to remain undetected. Furthermore, session-specific Blowfish keys ensured that each payload exchange was uniquely encrypted, adding another layer of obfuscation to the malware’s communications.
Credential theft was managed by Getpass, which silently extracted plaintext passwords, NTLM hashes, and authentication tokens from the lsass.exe process. Notably, this variant differed from standard Mimikatz by running automatically and saving the pilfered data to a file named WinSAT.db, impersonating a legitimate Windows system file. Organizations in the defense sector are advised to implement stringent monitoring of PowerShell and WMI activity, enforce DLL search order hardening, and closely monitor all attempts to access the LSASS process.
The ongoing nature of this campaign and its focus on sensitive military C4I systems highlight potential implications for regional security and intelligence gathering. As the investigation continues, a key area to monitor will be any public statements or advisories from affected nations regarding the extent of the breaches and the specific types of intelligence compromised. The threat actors’ continued use of custom tools and evasive techniques suggests that vigilance and adaptive security measures will be paramount for defense organizations in Southeast Asia.