SOUTHEAST Asian military organisations have been targeted in a China-linked cyber espionage campaign that has been active for years, according to SecurityWeek. Likely ongoing since at least 2020, the operation is attributed to a state-sponsored threat actor tracked as CL-STA-1087, with a patient approach that saw attackers dormant in compromised environments for months.
As part of the campaign, the group deployed tools such as the AppleChris backdoor, MemFun, and Getpass, and ran malicious PowerShell scripts to create reverse shells and drop the AppleChris backdoor, according to Palo Alto Networks. The intrusions involved lateral movement to infect domain controllers, web servers, IT workstations and executive systems, and included creating a new persistence service and storing a malicious DLL in System32, with DLL hijacking used to load it via a shadow copy service.
The attackers reportedly used Pastebin and Dropbox for command-and-control distribution, and evidence suggests the group has been active since 2020, with communications maintained across multiple compromised networks. Written by Ionut Arghire, the piece notes that the targeting, timing, and Chinese-language login page on the C&C server point to a China-based operation. 16 March 2026.