Ethical Hacking News
The CL-STA-1087 APT group has been targeting Southeast Asian military organizations since 2020 using sophisticated malware variants such as AppleChris and MemFun. The attackers demonstrated operational patience, security awareness, and the ability to evade detection using advanced techniques. This attack highlights the evolving nature of cyber espionage operations and underscores the need for robust cybersecurity measures across Southeast Asia.
The CL-STA-1087 APT group has been targeting Southeast Asian military organizations since 2020. The attack vector involves two malware variants: AppleChris and MemFun. The attackers employed DLL hijacking, sandbox evasion, and delayed execution to evade detection. They used custom HTTP verbs and a dead drop resolver (DDR) via Pastebin to dynamically reach C2 servers. The MemFun backdoor runs entirely in memory using process hollowing and anti-forensic techniques. The attackers harvested credentials from Windows authentication packages using a custom Mimikatz DLL.
The cyber security landscape has witnessed numerous sophisticated attacks by nation-state actors in recent years, each designed to evade detection and achieve specific strategic objectives. Among the most notable examples of such attacks is that attributed to the China-linked Advanced Persistent Threat (APT) group CL-STA-1087. According to a recent report published by Palo Alto Networks, this APT group has been actively targeting Southeast Asian military organizations since 2020.
The attack vector employed by CL-STA-1087 involves the use of two malware variants: AppleChris and MemFun. These malware variants are not only sophisticated in their design but also demonstrate a high degree of operational patience and security awareness on the part of the attackers. The researchers have observed that the attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.
The report further states that the threat actors maintained persistence on an unmanaged endpoint using scripts to create reverse shells to multiple C2 servers. They employed DLL hijacking and multiple malware variants to evade detection. The attackers deployed two backdoors: AppleChris and MemFun, both of which used custom HTTP verbs and a dead drop resolver (DDR) via Pastebin to dynamically reach C2 servers.
The AppleChris variant is particularly noteworthy in its evolution from the Dropbox variant into the more capable Tunneler variant. It employs DLL hijacking, sandbox evasion, and delayed execution to evade detection. The loader communicates with the C2 server using session-specific Blowfish encryption to securely retrieve and execute the final MemFun payload, thereby enabling stealthy and flexible operations without leaving artifacts on the disk.
The MemFun backdoor is a modular, multi-stage malware that consists of the GoogleUpdate.exe loader, an in-memory downloader, and a final DLL payload retrieved from the C2 server. It runs entirely in memory, using process hollowing, reflective DLL loading, and anti-forensic techniques such as timestomping and memory zeroing to evade detection.
The attackers also used Getpass, a custom Mimikatz DLL masquerading as a Palo Alto tool, which automatically harvested credentials from 10 Windows authentication packages by accessing lsass.exe memory. The stolen data was logged to WinSAT.db.
In conclusion, the CL-STA-1087 APT group's sophisticated attack campaign highlights the evolving nature of cyber espionage operations and the importance of maintaining robust cybersecurity measures to prevent such threats. As this type of threat continues to evolve, it is essential for organizations across Southeast Asia to remain vigilant and take proactive steps to secure their networks against similar attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-China-Linked-APT-Group-CL-STA-1087-A-Sophisticated-Espionage-Operation-Targeting-Southeast-Asian-Military-Organizations-ehn.shtml
Published: Tue Mar 17 09:12:18 2026 by llama3.2 3B Q4_K_M
