Ethical Hacking News
Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware: A State-Sponsored Campaign Reveals Sophisticated Espionage Tactics
A suspected China-based cyber espionage operation has been identified, targeting Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020. The campaign, dubbed CL-STA-1087 by cybersecurity researchers, exhibits hallmarks commonly associated with advanced persistent threat (APT) operations, including carefully crafted delivery methods, defense evasion strategies, and custom payload deployment designed to support sustained unauthorized access to compromised systems.
This article delves into the details of the CL-STA-1087 campaign, exploring the tools used by the threat actors, their tactics, techniques, and procedures (TTPs), and the implications of this state-sponsored operation on regional security. We will examine the role of AppleChris and MemFun malware, a custom version of Mimikatz known as Getpass, and the sophisticated operational security measures employed by the attackers to ensure campaign longevity.
Palo Alto Networks Unit 42 identified a suspected China-based operation targeting Southeast Asian military organizations. The operation, designated as CL-STA-1087, began in 2020 and features advanced technological capabilities and a sophisticated level of operational patience. The attackers focused on collecting highly specific files concerning military capabilities and collaborative efforts with Western armed forces. Two malware tools, AppleChris and MemFun, were used to access a shared Pastebin account for command-and-control communication. AppleChris uses DLL hijacking to initiate contact with the C2 server, while MemFun employs a multi-stage chain to launch its payload. MemFun transforms into a modular malware platform due to its ability to easily deliver other payloads without changing the C2 configuration. The malware also utilizes process hollowing and a custom version of Mimikatz to escalate privileges and extract plaintext passwords. The operation demonstrates operational patience, security awareness, and robust operational security measures to ensure campaign longevity. The implications are significant, highlighting the importance of robust threat intelligence and incident response capabilities in detecting and mitigating state-sponsored cyber threats.
In a recent development that highlights the evolving nature of state-sponsored cyber espionage, Palo Alto Networks Unit 42 has identified a suspected China-based operation targeting Southeast Asian military organizations. The campaign, designated as CL-STA-1087, is believed to have originated in 2020 and demonstrates a sophisticated level of operational patience, strategic thinking, and advanced technological capabilities.
The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces. This focused approach contrasts with bulk data theft, which is often associated with traditional nation-state-sponsored cyber espionage campaigns. Instead, the attackers employed a targeted intelligence collection strategy, leveraging carefully crafted delivery methods, defense evasion tactics, and custom payload deployment to maintain persistence and evade signature-based detection.
At the heart of this operation are two malware tools: AppleChris and MemFun. Both backdoors are designed to access a shared Pastebin account, which acts as a dead drop resolver to fetch the actual command-and-control (C2) address stored in Base64-decoded format. One version of AppleChris also relies on Dropbox to extract the C2 information, with the Pastebin-based approach used as a fallback option.
Launched via DLL hijacking, AppleChris initiates contact with the C2 server to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation. The second tunneler variant represents an evolution of its predecessor, using just Pastebin to get the C2 address, in addition to introducing advanced network proxy capabilities.
MemFun is launched by means of a multi-stage chain: an initial loader injects shellcode responsible for launching an in-memory downloader, whose main purpose is to retrieve C2 configuration details from Pastebin, communicate with the C2 server, and obtain a DLL that, in turn, triggers the execution of the backdoor. Since the DLL is fetched from the C2 at runtime, it gives threat actors the ability to easily deliver other payloads without having to change anything. This behavior transforms MemFun into a modular malware platform as opposed to a static backdoor like AppleChris.
The execution of MemFun begins with a dropper that runs anti-forensic checks before altering its own file creation timestamp to match the creation time of the Windows System directory. Subsequently, it injects the main payload into the memory of a suspended process associated with "dllhost.exe" using a technique referred to as process hollowing.
In doing so, the malware runs under the guise of a legitimate Windows process to fly under the radar and avoid leaving additional artifacts on disk. Also put to use in the attacks is a custom version of Mimikatz known as Getpass that escalates privileges and attempts to extract plaintext passwords, NTLM hashes, and authentication data directly from the "lsass.exe" process memory.
"The threat actor behind the cluster demonstrated operational patience and security awareness," Unit 42 concluded. "They maintained dormant access for months while focusing on precision intelligence collection and implementing robust operational security measures to ensure campaign longevity."
The implications of this state-sponsored operation are significant, particularly in light of the growing concerns surrounding Southeast Asian militaries' cybersecurity posture. As regional security dynamics continue to evolve, it is essential to understand the tactics, techniques, and procedures employed by nation-state actors in their cyber espionage campaigns.
Furthermore, this operation highlights the importance of robust threat intelligence and incident response capabilities in detecting and mitigating state-sponsored cyber threats. As the frequency and sophistication of these operations increase, it will be crucial for organizations to develop tailored defense strategies that account for the evolving tactics and techniques employed by nation-state actors.
In conclusion, the CL-STA-1087 campaign serves as a stark reminder of the advanced nature of modern state-sponsored cyber espionage campaigns. By examining the tools used by the threat actors, their TTPs, and the operational security measures employed to ensure campaign longevity, we can gain a deeper understanding of the evolving cybersecurity landscape and develop effective countermeasures to mitigate these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Hackers-Target-Southeast-Asian-Militaries-with-AppleChris-and-MemFun-Malware-A-State-Sponsored-Campaign-Reveals-Sophisticated-Espionage-Tactics-ehn.shtml
Published: Fri Mar 13 15:32:43 2026 by llama3.2 3B Q4_K_M
