A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign dating back to at least 2020.
Palo Alto Networks Unit 42 is monitoring threat activity under the alias CL-STA-1087Where CL refers to cluster, and STA stands for state supported stimulation.
Security researchers Lior Rochbarger and Yoav Zemah said, “The activity focused on highly targeted intelligence collection rather than strategic operational patience and wholesale data theft.” “The attackers behind this group actively searched for and collected highly specific files related to military capabilities, organizational structures, and collaborative efforts with Western armed forces.”
The campaign exhibits hallmarks typically associated with advanced persistent threat (APT) operations, including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom payload deployments designed to support sustained unauthorized access to compromised systems.
Tools used by threat actors in malicious activity include backdoors called AppleChris and MemFun and a credential harvester called GatePass.
The cybersecurity vendor said it discovered the intrusion set after identifying a suspicious Powershell execution that caused the script to enter a dormant state for six hours and then create a reverse shell on a threat actor-controlled command-and-control (C2) server. The exact initial access vector used in the attack remains unknown.
The infection sequence involves the deployment of AppleChris, various versions of which are dropped onto target endpoints after lateral movement to maintain persistence and avoid signature-based detection. Threat actors have also been observed conducting searches related to official meeting records, joint military activities, and detailed assessments of operational capabilities.
“The attackers showed particular interest in files related to military organizational structures and tactics, including command, control, communications, computers and intelligence (C4I) systems,” the researchers said.
Both the AppleChris variant and MemFun are designed to access a shared pastebin account, which acts as a dead drop resolver to fetch the actual C2 address stored in Base64-decoded format. A version of AppleChris also relies on Dropbox to extract C2 information, using a pastebin-based approach as a fallback option. Pastebin paste is from September 2020.
Launched via DLL hijacking, AppleChris initiates contact with the C2 server to receive commands that allows it to perform drive enumeration, directory listing, file upload/download/delete, process enumeration, remote shell execution, and silent process creation.
The second Tunneler variant represents an evolution of its predecessor by using only pastebin to obtain a C2 address, in addition to introducing advanced network proxy capabilities.
“To bypass automated security systems, some malware variants adopt sandbox evasion tactics at runtime,” Unit 42 said. “These variants trigger delayed execution via sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively eliminating the typical monitoring window of automated sandboxes.”
Memfun is launched through a multi-stage series: an initial loader injects the shellcode responsible for launching the in-memory downloader, whose main purpose is to obtain C2 configuration details from the pastebin, communicate with the C2 server, and obtain a DLL, which, in turn, triggers the execution of the backdoor.
Since the DLL is obtained from C2 at runtime, it gives threat actors the ability to easily distribute other payloads without changing anything. This behavior turns MemFun into a modular malware platform unlike static backdoors like AppleChris.
Memfun’s execution begins with a dropper that runs anti-forensics checks before changing its file creation timestamp to match the creation time of the Windows system directory. Next, it injects the main payload into the memory of a suspended process associated with “dllhost.exe” using a technique called process hollowing.
In doing so, the malware runs under the guise of a legitimate Windows process to fly under the radar and avoid leaving additional artifacts on the disk.
The attacks also utilize a custom version of Mimikatz known as GetPass that elevates privileges and attempts to extract plaintext passwords, NTLM hashes, and authentication data directly from the “lsass.exe” process memory.
Unit 42 concluded, “The threat actor behind the cluster demonstrated operational patience and security awareness.” “They maintained passive access for months while focusing on accurate intelligence collection and implementing strong operational security measures to ensure the longevity of the campaign.”
