China-Linked Cyberespionage Campaign Targets Southeast Asian Military Organizations
Palo Alto Networks has uncovered a long-running cyberespionage campaign attributed to a China-backed threat actor, CL-STA-1087, targeting military organizations across Southeast Asia. Active since at least 2020, the operation demonstrates a high level of sophistication, with attackers maintaining prolonged access to compromised networks sometimes for months before resuming activity.
The hackers deployed custom malware tools, including the AppleChris and MemFun backdoors, as well as Getpass, a modified version of Mimikatz designed to steal credentials from 10 specific Windows authentication packages. Initial infection vectors remain unidentified, but in one case, the group lingered undetected in a victim’s environment before executing malicious PowerShell scripts to establish reverse shells and deploy backdoors.
Once inside, the attackers targeted domain controllers, web servers, IT workstations, and executive systems, using WMI and native .NET commands for lateral movement. They prioritized highly sensitive military documents, including:
- Organizational structures and command hierarchies
- Assessments of operational capabilities
- Records of joint military exercises with Western forces
- C4I (Command, Control, Communications, Computers, and Intelligence) systems
The AppleChris backdoor evolved over time, with early versions using Dropbox and Pastebin for command-and-control (C&C) resolution, while later variants added network proxy capabilities. The malware enabled remote execution, file manipulation, and process enumeration. Meanwhile, MemFun employed reflective DLL loading to evade detection, and Getpass harvested credentials for further exploitation.
Palo Alto Networks’ analysis suggests the group operates on a UTC+8 time zone schedule, aligning with typical working hours in China and parts of Asia. Additional indicators such as the use of China-based cloud infrastructure and Simplified Chinese on a C&C login page further support the attribution to a Chinese state-sponsored actor.
The campaign highlights the group’s persistence and precision, with attackers continuously updating their infrastructure via Pastebin and Dropbox to maintain access. The focus on military intelligence underscores the strategic nature of the operation, likely aimed at gathering insights into regional defense capabilities and alliances.
Defense Bridge Asia (DBA) cybersecurity rating report: https://www.rankiteo.com/company/defensebridgeasia
"id": "DEF1775413516",
"linkid": "defensebridgeasia",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Defense',
'location': 'Southeast Asia',
'type': 'Military organizations'}],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Organizational structures',
'Command hierarchies',
'Operational capabilities '
'assessments',
'Joint military exercise records',
'C4I systems data']},
'description': 'Palo Alto Networks has uncovered a long-running '
'cyberespionage campaign attributed to a China-backed threat '
'actor, CL-STA-1087, targeting military organizations across '
'Southeast Asia. The operation demonstrates a high level of '
'sophistication, with attackers maintaining prolonged access '
'to compromised networks sometimes for months before resuming '
'activity. The hackers deployed custom malware tools, '
'including the AppleChris and MemFun backdoors, as well as '
'Getpass, a modified version of Mimikatz designed to steal '
'credentials. The campaign focused on highly sensitive '
'military documents and systems.',
'impact': {'data_compromised': 'Highly sensitive military documents, '
'including organizational structures, command '
'hierarchies, operational capabilities '
'assessments, joint military exercise records, '
'and C4I systems data',
'operational_impact': 'Prolonged unauthorized access to military '
'networks',
'systems_affected': ['Domain controllers',
'Web servers',
'IT workstations',
'Executive systems']},
'initial_access_broker': {'backdoors_established': ['AppleChris', 'MemFun'],
'high_value_targets': ['Domain controllers',
'Web servers',
'IT workstations',
'Executive systems']},
'investigation_status': 'Ongoing',
'lessons_learned': "The campaign highlights the threat actor's persistence, "
'precision, and continuous infrastructure updates to '
'maintain access. The focus on military intelligence '
'underscores the strategic nature of the operation.',
'motivation': 'Military intelligence gathering',
'post_incident_analysis': {'root_causes': 'Use of custom malware (AppleChris, '
'MemFun, Getpass), prolonged '
'undetected access, and lateral '
'movement techniques'},
'references': [{'source': 'Palo Alto Networks'}],
'response': {'third_party_assistance': 'Palo Alto Networks'},
'threat_actor': 'CL-STA-1087 (China-backed)',
'title': 'China-Linked Cyberespionage Campaign Targets Southeast Asian '
'Military Organizations',
'type': 'Cyberespionage'}