Unit 42 uncovered CL-STA-1087, a suspected China-linked state-sponsored espionage cluster that has stealthily infiltrated Southeast Asian military networks since at least 2020. The group practices strategic operational patience and uses custom tools like AppleChris, MemFun, and Getpass to target C4I systems and harvest highly specific military intelligence. #CL-STA-1087 #AppleChris
Keypoints
- Unit 42 attributes a years-long, targeted espionage campaign to CL-STA-1087.
- The attackers prioritize objective-driven theft of C4I-related files rather than bulk data exfiltration.
- They maintain stealth and persistence using DDR, timestomping, long sleep timers, and anti-forensic checks.
- Custom tooling in the campaign includes the AppleChris backdoor, MemFun in-memory loader, and Getpass credential harvester.
- Operational indicators—UTC+8 activity and China-based infrastructure—support a China-linked state-sponsored assessment.