Unit 42 researchers have uncovered a sophisticated Chinese espionage campaign, designated CL-STA-1087, that has been systematically targeting military organizations across Southeast Asia since at least 2020. The state-sponsored operation demonstrates exceptional operational patience and deploys previously undocumented malware tools designed for long-term intelligence collection against regional defense forces.
Executive Summary
The investigation reveals a methodical espionage operation focused on highly targeted intelligence gathering rather than bulk data theft. The attackers actively searched for files concerning military capabilities, organizational structures, and—critically—collaborative efforts with Western armed forces. This strategic focus suggests the campaign aims to understand regional military alliances and defensive capabilities.
New Malware Arsenal
Unit 42 identified two previously undocumented backdoors deployed in this campaign:
AppleChris Backdoor
Named after its mutex string 0XFEXYCDAPPLE05CHRIS, this backdoor exists in multiple variants:
- Dropbox Variant: Uses a dual dead drop resolver (DDR) approach with attacker-controlled Dropbox and Pastebin accounts
- Tunneler Variant: A more advanced version with streamlined Pastebin-based DDR and network proxy tunneling capabilities
AppleChris features include:
- RSA-1024 encryption for C2 resolution
- AES encryption for command payloads
- DLL hijacking via the Volume Shadow Copy Service
- Custom HTTP verbs (PUT, POT, DPF, UPF, CPF, LPF) for command tracking
- Comprehensive backdoor functionality: drive enumeration, file operations, process management, remote shell execution
MemFun Backdoor
A sophisticated multi-stage malware platform consisting of three components:
- Initial Loader: Disguised as
GoogleUpdate.exe - In-Memory Downloader: Executes entirely in memory
- Final Payload: A DLL retrieved from C2 containing the main backdoor functionality
MemFun employs advanced evasion techniques:
- Timestomping: Modifies file creation timestamps to match Windows system files
- Process Hollowing: Injects payload into suspended
dllhost.exeprocess - Reflective DLL Loading: Loads malicious code without writing to disk
- Memory Wiping: Zeroes the first 4KB of allocated memory to erase PE headers
Attack Chain and Persistence
The campaign demonstrated a distinctive “long game” approach:
- Initial Compromise: Attackers established persistence on an unmanaged endpoint
- Dormancy Period: The environment remained inactive for several months after initial access
- Reactivation: Operations resumed with deployment of AppleChris backdoor via WMI and Windows .NET commands
- Lateral Movement: Systematic spread to domain controllers, web servers, IT workstations, and executive assets
C2 Infrastructure
The attackers utilized PowerShell scripts configured to establish reverse shells to the following command and control servers:
154.39.142[.]177154.39.137[.]2038.212.169[.]27109.248.24[.]177
Intelligence Targeting
The collected intelligence focused on:
- Official meeting records
- Joint military activities documentation
- Operational capabilities assessments
- C4I systems (Command, Control, Communications, Computers, and Intelligence)
- Military organizational structures and strategy
- Collaboration documents with Western armed forces
MITRE ATT&CK Techniques
- T1574.001: DLL Search Order Hijacking
- T1102.001: Dead Drop Resolver
- T1055.012: Process Hollowing
- T1070.006: Timestomping
- T1620: Reflective Code Loading
Why This Matters
This campaign represents a significant threat to regional security in Southeast Asia. The attackers’ focus on Western military collaboration documents suggests efforts to understand—and potentially counter—defensive alliances in the region. The custom-developed toolset and stable operational infrastructure indicate a well-resourced, patient adversary capable of maintaining long-term access to sensitive military networks.
Organizations in the defense sector should implement robust endpoint detection capabilities, monitor for suspicious Pastebin and Dropbox access, and scrutinize WMI-based lateral movement patterns.
Source: Unit 42 / Palo Alto Networks
