Palo Alto Networks says a China-linked espionage group tracked as CL-STA-1087 has run a long-term campaign against Southeast Asian military organizations, quietly harvesting sensitive files related to military structure and C4I systems. The attackers deployed custom tools including AppleChris, MemFun, and Getpass, abused PowerShell, WMI, and DLL hijacking, and used Pastebin and Dropbox for C2, maintaining months-long persistence with a UTC+8 operational pattern. #CL-STA-1087 #AppleChris
Keypoints
- State-linked actor CL-STA-1087 has targeted Southeast Asian military organizations since at least 2020.
- Attackers focused on sensitive files about military capabilities, organizational structure, and joint operations.
- Custom malware families AppleChris, MemFun, and the Getpass credential stealer were deployed across multiple systems.
- Intrusions used PowerShell, WMI, reflective DLL loading, and DLL hijacking, with Pastebin and Dropbox used for C2 distribution.
- Operators showed months-long dormancy, UTC+8 activity timing, and evidence tying infrastructure and language to China.