A China-nexus espionage cluster tracked as CL-STA-1087 has targeted Southeast Asian military organisations since at least 2020, using AppleChris and MemFun malware. According to the researchers, the activity focused on highly targeted intelligence collection rather than bulk data theft, with a toolset that includes the AppleChris and MemFun backdoors and a custom Getpass credential harvester.
The attackers maintained persistence on unmanaged endpoints, deployed two backdoors, and reached C2 servers through Pastebin and other methods, with AppleChris evolving from a Dropbox variant into the Tunneler variant and using DLL hijacking, sandbox evasion, and delayed execution to evade detection. The MemFun backdoor operates as a modular, multi-stage loader that runs in memory, employing process hollowing, reflective DLL loading, and anti-forensic techniques such as timestomping and memory zeroing.
Data exfiltration involved collecting highly sensitive files on military operations, organisational structures, and C4I systems, with Getpass harvesting credentials from Windows authentication packages and logging stolen data to WinSAT[.]db. The researchers concluded the activity cluster is a suspected espionage campaign conducted from China, emphasising long-term, persistent control and ongoing updates to the C2 infrastructure.