DARK Reading reports that China-nexus hackers skulked in Southeast Asian military organisations for years, pursuing highly targeted intelligence rather than bulk data theft. According to Palo Alto Networks' Unit 42 incident response team, the campaign, tracked as CL-STA-1087, used novel backdoors named AppleChris and MemFun and employed dead-drop resolvers to conceal its command and control.
The activity was first detected in 2020 after Cortex XDR agents flagged suspicious PowerShell activity, and investigators traced access to at least 2020, with attackers maintaining undetected access for months and over multiple years. The attackers reportedly used a shared Pastebin repository and a Dropbox account as dead-drop resolvers, with a two-stage decryption process to access C2 information and evade security tools.
The report highlights evasion techniques such as timestomping and delayed execution, and notes that the actors focused on highly targeted files about military capabilities, organisational structures, and collaborations with Western armed forces. Rochberger and Zemah of Unit 42 describe the threat as sophisticated, with a clear emphasis on patience and precision over opportunistic hacking.