Palo Alto Networks Unit 42 says a suspected China-based, state-sponsored espionage campaign tracked as CL-STA-1087 has targeted Southeast Asian military organizations since at least 2020, focusing on precise intelligence collection rather than bulk theft. The operators deployed custom backdoors AppleChris and MemFun, a credential harvester Getpass, and Pastebin/Dropbox-based C2 resolution while using DLL hijacking, process hollowing, delayed execution, and other evasion techniques to maintain long-term, stealthy access #AppleChris #MemFun
Keypoints
- The cluster tracked as CL-STA-1087 is a suspected China-based, state-sponsored espionage campaign targeting Southeast Asian military organizations.
- Operators prioritized targeted intelligence collection on C4I systems, organizational structures, and joint military activities over mass data exfiltration.
- Malware observed includes backdoors AppleChris and MemFun and a credential stealer Getpass to harvest plaintext passwords and NTLM hashes.
- Threat actors used Pastebin (with Dropbox fallback) for Base64 C2 retrieval, DLL hijacking, process hollowing, and delayed execution to evade detection.
- MemFun functions as a modular, runtime-delivered platform enabling flexible payloads and sustained stealthy access across compromised hosts.
Read More: https://thehackernews.com/2026/03/chinese-hackers-target-southeast-asian.html