Suspected Chinese Cyber Espionage Operation Targets Southeast Asian Military Organizations
Cybersecurity researchers have uncovered a long-running cyber espionage campaign believed to be linked to China that has been quietly targeting military institutions across Southeast Asia since at least 2020.
The activity was analyzed by researchers from Palo Alto Networks Unit 42, who are tracking the operation under the name CL-STA-1087. In their classification system, “CL” refers to a cluster of related activity while “STA” indicates suspected state-backed involvement.
According to the researchers, the attackers demonstrated unusual patience and precision. Instead of stealing large volumes of data, the group focused on collecting very specific intelligence related to military operations and strategic cooperation with Western defense partners.
Focus on Strategic Military Intelligence
Investigators found that the attackers searched for highly sensitive documents within compromised systems. These included files related to:
- Military capabilities and operational readiness
- Organizational structures within defense agencies
- Joint exercises or collaboration with Western armed forces
- Command and communication infrastructure
Researchers noted that the attackers appeared particularly interested in systems connected to C4I frameworks—command, control, communications, computers, and intelligence—critical systems used by modern militaries.
Advanced Persistent Threat Techniques
The tactics used in the campaign resemble those typically associated with advanced persistent threat (APT) groups.
These techniques included:
- Carefully planned intrusion strategies
- Long-term unauthorized access to networks
- Custom-built malware tools
- Sophisticated evasion methods designed to avoid detection
The attackers relied on a combination of specialized malware and credential-harvesting tools to maintain their access to compromised networks.
Custom Malware Used in the Campaign
Researchers identified several tools used during the intrusions:
AppleChris – A backdoor used to maintain persistent access to infected systems.
MemFun – A modular malware tool capable of downloading additional payloads and executing commands remotely.
Getpass – A customized credential-harvesting utility based on the well-known Mimikatz tool, used to extract passwords and authentication data.
Security analysts first noticed the intrusion after detecting unusual PowerShell activity on compromised systems. In some cases, the scripts paused execution for up to six hours before reconnecting to attacker-controlled infrastructure, helping them evade detection.
Malware Communication Through Pastebin and Dropbox
One interesting technique used in the operation involved retrieving command-and-control (C2) server addresses through Pastebin.
The malware accessed a shared Pastebin account where encoded instructions contained the actual C2 server addresses. This approach acts as a dead-drop resolver, allowing attackers to change their infrastructure without modifying the malware itself.
Some variants of the AppleChris malware also used Dropbox as an alternative method to retrieve C2 server information if the Pastebin approach failed.
Researchers traced Pastebin entries linked to the campaign back to September 2020, indicating the operation has been active for several years.
How the AppleChris Backdoor Works
The AppleChris malware is typically deployed through DLL hijacking, a technique that allows malicious code to run when a legitimate application loads a compromised library file.
Once installed, the backdoor can:
- Scan system drives
- List directories and files
- Upload or download data
- Delete files remotely
- Execute remote shell commands
- Launch hidden processes
Some versions of the malware also include network proxy capabilities, allowing attackers to route their traffic through infected systems.
Sandbox Evasion Techniques
To bypass automated security analysis tools, certain malware variants deliberately delay their execution.
The researchers observed that:
- Some executable files wait 30 seconds before running
- Certain DLL components delay execution for 120 seconds
These delays help the malware avoid detection by automated sandboxes that typically monitor suspicious programs for only a short period.
MemFun Malware Uses Multi-Stage Attack Chain
The MemFun malware operates differently from AppleChris.
It begins with an initial loader that injects malicious shellcode into memory. This shellcode launches a downloader that retrieves configuration data from Pastebin and connects to the attacker’s command server.
From there, the malware downloads a malicious DLL that activates the full backdoor functionality.
Because the final payload is downloaded dynamically, attackers can easily change or replace the malware without updating the initial loader.
This design effectively turns MemFun into a modular malware platform.
Process Hollowing and Anti-Forensics Techniques
MemFun also uses advanced stealth methods to hide its activity.
One technique involves modifying the file creation timestamp of the malware so that it matches the timestamp of the Windows system directory. This helps it blend in with legitimate system files.
The malware then injects its payload into the memory of a legitimate Windows process called dllhost.exe using a method known as process hollowing.
This allows the malicious code to run under the appearance of a trusted system process, reducing the chances of detection.
Credential Theft With Customized Mimikatz Tool
The attackers also deployed a modified version of Mimikatz, renamed Getpass, to steal authentication data from compromised systems.
This tool can extract sensitive information directly from the memory of the lsass.exe process, including:
- Plaintext passwords
- NTLM password hashes
- Authentication tokens
These credentials allow attackers to escalate privileges and move deeper into the target network.
Long-Term Espionage Strategy
Researchers believe the group behind CL-STA-1087 prioritized stealth and persistence over rapid attacks.
The attackers often maintained dormant access for months while quietly collecting intelligence.
According to Unit 42, the campaign demonstrates strong operational discipline and suggests the attackers were focused on strategic intelligence gathering rather than financial gain.