UNIT 42 researchers designate a cluster named CL-STA-1087 as a suspected China-based espionage operation targeting military organisations in Southeast Asia, with activity traced back to at least 2020. The campaign is characterised by patience, precision intelligence collection and the use of custom tools, including two backdoors named AppleChris and MemFun, plus a custom credential harvester called Getpass.
AppleChris and MemFun are deployed through a persistent intrusions that leverage DLL hijacking, shadow copy service persistence, and a dead drop resolver technique to access a shared C2 infrastructure hosted on Pastebin and Dropbox. MemFun operates as an in-memory, multi-stage downloader, while Getpass extracts credentials from lsass[.]exe memory, masquerading as a legitimate Palo Alto Networks tool under the Cyvera directory.
The activity appears to be connected to a Chinese nexus, with C2 infrastructure and authentication pages showing Simplified Chinese and a China-based cloud network, and operations notably aligning with UTC+8 business hours. According to Unit 42, the backdoors and Getpass together enable data collection on highly targeted military information, including details on military capabilities and organisational structures.