ACCORDING to Unit 42 of Palo Alto Networks, a suspected China-based cyber espionage operation has targeted Southeast Asian military organisations as part of a state-sponsored campaign dating back to at least 2020, tracked under the moniker CL-STA-1087. The threat group has used backdoors named AppleChris and MemFun, with a credential harvester called Getpass, to breach and maintain access to victims’ networks.
The intrusion sequence involves AppleChris deploying across endpoints after lateral movement, while MemFun acts as a modular downloader that retrieves a DLL from the C2 to trigger the backdoor, with both variants capable of uploading to a shared Pastebin account and, in one version, Dropbox as a fallback.
The researchers noted the attackers’ interest in military files related to organisational structures and C4I systems, and described the operation as involving sandbox-evading techniques, sleep delays, and reverse shells to a threat actor-controlled C2 server. The findings quote Unit 42 as saying the activity demonstrated operational patience and a focus on precise intelligence collection, with dormant access maintained for months to sustain campaign longevity.