Nation-stateMar 17, 2026

China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation

Chinese state-sponsored threat actor CL-STA-1087 has conducted a multi-year cyberespionage campaign targeting Southeast Asian military organizations since at least 2020, deploying custom backdoors and credential stealers while remaining dormant for months between activity. The attackers used tools including AppleChris and MemFun backdoors, the Getpass credential stealer, and PowerShell scripts to exfiltrate sensitive military files related to organizational structures, capabilities assessments, and Western military collaborations.

Read at source

Summary

Full text

Southeast Asian military organizations have been targeted in a China-linked cyberespionage campaign running for years, Palo Alto Networks reports. Likely ongoing since at least 2020 and attributed to a state-sponsored threat actor tracked as CL-STA-1087, the activity shows a high degree of patience, as the attackers stayed dormant in the compromised environments for months. “The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces,” Palo Alto Networks notes. As part of the observed intrusions, the hackers deployed custom tools, such as the AppleChris and MemFun backdoors and the Getpass credential stealer, and executed malicious PowerShell scripts remotely on multiple infected systems. While the initial infection vector has not been identified, Palo Alto Networks determined that, in at least one instance, CL-STA-1087 had access to an organization’s environment for months before resuming its operations. The attackers deployed PowerShell scripts designed to create reverse shells to a command-and-control (C&C) server and used the access to drop the AppleChris backdoor. Next, they relied on WMI and native Windows .NET commands to infect domain controllers, web servers, IT workstations, and executive-level systems.Advertisement. Scroll to continue reading. As part of the renewed activity, the Chinese spies created a new service for persistence and payload execution, and stored a malicious DLL in the System32 folder, abusing DLL hijacking to load it via a shadow copy service. Following lateral movement, the hackers started searching for sensitive files such as official meeting records, assessments of operational capabilities, and details of joint military activities. “The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems,” Palo Alto Networks explains. CL-STA-1087’s tools and the China connection The threat actor deployed multiple variants of the AppleChris backdoor: an earlier development iteration that used a Dropbox account and a Pastebin as the dead drop resolvers, and a Tunneler variant relying only on Pastebin but adding advanced network proxy capabilities. The backdoor dynamically resolves its C&C server’s IP address to receive commands, allowing it to enumerate drives, list directories, download/upload/delete files, enumerate processes, execute shell commands remotely, and create processes. In addition to AppleChris, the hackers deployed MemFun, a multi-stage malware family that relies on reflective DLL loading for the execution of the main backdoor. Furthermore, they were seen deploying Getpass, a custom version of Mimikatz targeting 10 specific Windows authentication packages for credential harvesting. Based on Pastebin creation dates and the compilation timestamps of the analyzed malware, Palo Alto Networks believes that the espionage group has been active since at least 2020. “Our analysis suggests that the attackers maintained communication with multiple compromised networks over an extended period, leveraging Pastebin and Dropbox for C&C distribution. Evidence suggests the threat actor behind the activity cluster continues to update their Dropbox account with updated infrastructure files,” the cybersecurity firm notes. Palo Alto Networks’ investigation also revealed that the attackers’ operational schedule aligns with a UTC+8 time zone schedule, which represents the typical office hours across China and other Asian regions. The targeting of military organizations in Southeast Asia, the use of China-based cloud network infrastructure, and the use of Simplified Chinese on a login page for a C&C server suggest that the state-sponsored group behind this campaign is likely operating out of China, Palo Alto Networks says. Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments Related: Taiwan Security Firm Confirms Flaw Flagged by CISA Likely Exploited by Chinese APTs Related: Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group Related: Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firms Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Bold Security Emerges From Stealth With $40 Million in FundingGoogle Paid Out $17 Million in Bug Bounty Rewards in 2025Onyx Security Launches With $40 Million in FundingChrome 146 Update Patches Two Exploited Zero-DaysAlly WordPress Plugin Flaw Exposes Over 200,000 Websites to AttacksSplunk, Zoom Patch Severe VulnerabilitiesCisco Patches High-Severity IOS XR VulnerabilitiesCritical N8n Vulnerabilities Allowed Server Takeover Latest News Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactSecurity Firm Executive Targeted in Sophisticated Phishing AttackThreat Actor Targeting VPN Users in New Credential Theft CampaignForceMemo: Python Repositories Compromised in GlassWorm AftermathHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationCritical HPE AOS-CX Vulnerability Allows Admin Password ResetsStarbucks Data Breach Impacts Employees Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveThe US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.Business software company Rippling has appointed Adrian Ludwig as CSO.Orca Security has named Rachel Nislick as Chief Marketing Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

malware — AppleChris
malware — MemFun
malware — Getpass
mitre_attack — T1547.010
mitre_attack — T1047
mitre_attack — T1086