Sophisticated China-Linked Cyber Espionage Campaign Targets Southeast Asian Military Networks
A long-running cyber espionage operation, tracked as CL-STA-1087, has been targeting military organizations across Southeast Asia since at least 2020, with evidence pointing to a China-aligned threat actor. The campaign prioritizes strategic and operational intelligence gathering over mass data exfiltration, employing stealthy techniques to evade detection.
The attack was first uncovered when suspicious PowerShell activity was flagged on an unmanaged endpoint within a military network. Investigators discovered the intrusion was not recent the attackers had already established persistence, using delayed execution scripts that connected to multiple command-and-control (C2) servers at six-hour intervals to avoid triggering automated alerts.
The primary backdoor, AppleChris, was identified by PolySwarm analysts and played a central role in the operation. After a period of inactivity, the threat actors resumed lateral movement, leveraging Windows Management Instrumentation (WMI) and .NET commands to compromise domain controllers, web servers, IT workstations, and executive systems, with a particular focus on C4I (Command, Control, Communications, Computers, and Intelligence) systems.
The attackers deployed three key tools:
- AppleChris – A custom backdoor that dynamically retrieved C2 addresses from Pastebin and Dropbox using a Dead Drop Resolver (DDR) technique, decrypting data with an embedded RSA-1024 private key.
- MemFun – A memory-only backdoor disguised as GoogleUpdate.exe, using process hollowing, reflective DLL loading, and Blowfish encryption to avoid disk-based detection.
- Getpass – A modified Mimikatz variant that extracted plaintext passwords, NTLM hashes, and authentication tokens from lsass.exe, storing stolen data in a file named WinSAT.db to blend in with legitimate system files.
The campaign’s operational patterns including UTC+8 business hours, China-based cloud infrastructure, and Simplified Chinese language elements in the C2 environment further suggest a China-nexus origin, though no specific group has been formally attributed.
To maintain persistence, the attackers employed DLL hijacking and malicious Windows services, embedding malicious DLLs in the system32 directory and registering them through legitimate processes. This allowed them to operate undetected for extended periods.
Palo Alto’s Unit 42 later provided additional analysis, confirming the campaign’s scope and sophistication, with a focus on long-term intelligence collection rather than disruptive attacks. The use of custom encryption, in-memory execution, and legitimate service abuse underscores the threat actor’s advanced capabilities.
Source: https://cybersecuritynews.com/china-linked-hackers-breach-southeast-asian-military-systems/
Verve Research cybersecurity rating report: https://www.rankiteo.com/company/verve-research
"id": "VER1774470330",
"linkid": "verve-research",
"type": "Cyber Attack",
"date": "1/2020",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Defense',
'location': 'Southeast Asia',
'type': 'Military organizations'}],
'attack_vector': ['PowerShell activity',
'Windows Management Instrumentation (WMI)',
'.NET commands',
'DLL hijacking',
'Malicious Windows services'],
'data_breach': {'data_encryption': ['Blowfish encryption (MemFun)',
'RSA-1024 (AppleChris)'],
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Strategic intelligence',
'Operational intelligence',
'Plaintext passwords',
'NTLM hashes',
'Authentication tokens']},
'description': 'A long-running cyber espionage operation, tracked as '
'CL-STA-1087, has been targeting military organizations across '
'Southeast Asia since at least 2020, with evidence pointing to '
'a China-aligned threat actor. The campaign prioritizes '
'strategic and operational intelligence gathering over mass '
'data exfiltration, employing stealthy techniques to evade '
'detection.',
'impact': {'data_compromised': 'Strategic and operational intelligence, '
'plaintext passwords, NTLM hashes, '
'authentication tokens',
'operational_impact': 'Long-term intelligence collection, '
'persistence in military networks',
'systems_affected': ['Domain controllers',
'Web servers',
'IT workstations',
'Executive systems',
'C4I (Command, Control, Communications, '
'Computers, and Intelligence) systems']},
'initial_access_broker': {'backdoors_established': ['AppleChris',
'MemFun',
'Getpass'],
'entry_point': 'Unmanaged endpoint (PowerShell '
'activity)',
'high_value_targets': ['C4I systems']},
'motivation': 'Strategic and operational intelligence gathering',
'post_incident_analysis': {'root_causes': ['Delayed execution scripts',
'DLL hijacking',
'Malicious Windows services',
'Legitimate service abuse']},
'references': [{'source': 'PolySwarm analysts'},
{'source': 'Palo Alto’s Unit 42'}],
'response': {'third_party_assistance': ['PolySwarm analysts',
'Palo Alto’s Unit 42']},
'threat_actor': 'China-aligned threat actor (CL-STA-1087)',
'title': 'Sophisticated China-Linked Cyber Espionage Campaign Targets '
'Southeast Asian Military Networks',
'type': 'Cyber Espionage'}