CL-STA-1087 targets military capabilities since 2020

China-linked APT group CL-STA-1087 has targeted Southeast Asian militaries since 2020 using AppleChris and MemFun.

A suspected China-linked espionage campaign, tracked as CL-STA-1087, has targeted Southeast Asian military organizations since at least 2020, using AppleChris and MemFun malware.

“The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces.” reads the report published by Palo Alto Networks. “The objective-oriented tool set used in the malicious activity includes several newly discovered assets: the AppleChris and MemFun backdoors, and a custom Getpass credential harvester.”

Cortex XDR detected suspicious PowerShell activity revealing a long-term intrusion. The cyber spies maintained persistence on an unmanaged endpoint, using scripts to create reverse shells to multiple C2 servers. The threat actors remained dormant for months before resuming operations, spreading the AppleChris backdoor via WMI and .NET commands to critical servers, workstations, and executive assets. Attackers employed DLL hijacking and multiple malware variants to evade detection.

After gaining persistence, attackers collected highly sensitive files on military operations, organizational structure, and C4I systems. They deployed two backdoors, AppleChris and MemFun, both using custom HTTP verbs and a dead drop resolver (DDR) via Pastebin to dynamically reach C2 servers. According to the researchers, AppleChris evolved from the Dropbox variant into the more capable Tunneler variant, employing DLL hijacking, sandbox evasion, and delayed execution to evade detection. It resolves C2 addresses through encrypted Pastebin content, generates unique session IDs tied to host info, and executes commands for file access, remote shells, process control, and proxy tunneling, maintaining stealth and operational flexibility across the network.

CL-STA-1087 also used a modular, multi-stage backdoor dubbed MemFun, which consists of the GoogleUpdate.exe loader, an in-memory downloader, and a final DLL payload retrieved from the C2 server. It runs entirely in memory, using process hollowing, reflective DLL loading, and anti-forensic techniques like timestomping and memory zeroing.

The loader communicates with the C2 via custom HTTP commands, using session-specific Blowfish encryption to securely retrieve and execute the final MemFun payload, enabling stealthy, flexible operations without leaving artifacts on the disk.

Attackers also used Getpass, a custom Mimikatz DLL, masquerading as a Palo Alto tool, which automatically harvests credentials from 10 Windows authentication packages by accessing lsass.exe memory. Stolen data is logged to WinSAT.db. The attackers’ infrastructure, active since 2020, uses multiple C2 IPs via Pastebin and Dropbox for scalable, segmented operations. AppleChris variants remain functional, showing long-term, persistent control and ongoing updates to their C2 infrastructure.

The researchers collected multiple pieces of evidence that demonstrate the activity was conducted by a China-nexus actor.

“The activity cluster CL-STA-1087 is a suspected espionage campaign operating out of China and targeting military organizations across Southeast Asia.” concludes the report. “The threat actor behind the cluster demonstrated operational patience and security awareness.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)