China-linked threat actors have been identified targeting Southeast Asian military networks in a long-running cyber espionage campaign focused on intelligence collection and operational surveillance.
The activity, tracked as CL-STA-1087, demonstrates a highly disciplined approach that combines custom malware, stealth techniques, and long-term persistence.
Rather than large-scale data theft, the attackers focus on high-value intelligence such as command structures, C4I systems, and joint military operations.
The intrusion was initially detected through suspicious PowerShell activity flagged by endpoint security tools.
According to Palo Alto Networks Unit 42, the campaign has been active since at least 2020 and primarily targets military organizations across Southeast Asia. Investigation revealed that attackers had already established persistence within an unmanaged system.
They deployed delayed execution scripts that created reverse shells connecting to multiple command-and-control (C2) servers, often using six-hour sleep intervals to evade detection.
After remaining dormant for months, the attackers reactivated access and began lateral movement.
Using Windows Management Instrumentation (WMI) and native .NET tools, they spread across domain controllers, servers, and executive workstations.
Persistence was maintained through service creation and DLL hijacking, including planting malicious libraries in the system32 directory.
China-Backed Hackers
The campaign relies heavily on custom-built malware, particularly two backdoors named AppleChris and MemFun.
AppleChris is deployed in multiple variants and uses a Dead Drop Resolver (DDR) technique to fetch C2 infrastructure dynamically from services like Pastebin and Dropbox.
The retrieved data is Base64-decoded and decrypted using an embedded RSA key, allowing the malware to avoid hardcoded indicators. It supports file management, process enumeration, and remote command execution via custom HTTP communication.
MemFun operates entirely in memory and follows a multi-stage infection chain. It begins with a loader disguised as a legitimate process, followed by an in-memory downloader that retrieves the final payload.
The malware uses advanced evasion techniques such as timestomping, process hollowing into dllhost.exe, and reflective DLL injection. Communication is encrypted using dynamically generated Blowfish keys, ensuring each session remains unique and difficult to detect.
To escalate access, attackers deployed Getpass, a modified version of Mimikatz. This tool extracts credentials, NTLM hashes directed from the lsass.exe process.
Attribution and Analysis
Unlike traditional variants, Getpass operates automatically and stores stolen data in a file named WinSAT.db, mimicking a legitimate Windows database to avoid suspicion.
The attackers demonstrated strong operational discipline by maintaining long-term access, often pausing activity for extended periods before resuming operations aligned with specific intelligence objectives.
While no specific threat group has been confirmed, several indicators suggest a China-linked origin. These include activity patterns aligned with UTC+8 working hours, use of China-based infrastructure, and Simplified Chinese language artifacts within the environment.
Security analysts assess the campaign as a mature espionage operation designed for stealth and persistence.
Its reliance on custom tooling, encrypted communication channels, and in-memory execution reflects a broader trend in advanced threat activity aimed at maintaining prolonged access to sensitive military networks without detection.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
