China-linked hackers quietly targeted Southeast Asian military systems for years, researchers say

A long-running cyber espionage campaign has targeted military organizations across Southeast Asia since at least 2020, according to Palo Alto Networks Unit 42. The company tracks the activity cluster as CL-STA-1087 and says, with moderate confidence, that the operation is linked to a China-based threat actor focused on intelligence collection rather than smash-and-grab data theft.

Unit 42 says the attackers showed patience, discipline, and a clear interest in strategic military information. Researchers said the group searched for files tied to military capabilities, organizational structures, and collaboration with Western armed forces, which suggests a targeted espionage mission rather than a broad criminal operation.

The intrusion first surfaced after suspicious PowerShell activity appeared on an unmanaged endpoint inside a victim network. From there, investigators found the operation was not new at all. The attackers had already built persistence, used delayed execution to avoid sudden activity spikes, and maintained access across sensitive systems over a long period.

Things were broadly accurate on the main points, including the campaign name, the focus on Southeast Asian military targets, the use of AppleChris, MemFun, and Getpass, and the emphasis on stealth and persistence. The strongest parts of the sample matched Unit 42’s public reporting.

How the campaign worked

Unit 42 says the attackers used delayed PowerShell scripts that slept for six hours between actions before creating reverse shells to command-and-control infrastructure. That timing helped reduce obvious behavioral spikes and likely improved the group’s chances of staying under the radar of automated detection systems.

After the attackers reactivated, they moved laterally through the environment using Windows Management Instrumentation and native .NET commands. Researchers say the malware spread to domain controllers, web servers, IT workstations, and executive systems, which shows a deliberate focus on high-value military and administrative assets.

The campaign also stood out for its persistence methods. Unit 42 says the attackers created Windows services and abused DLL hijacking to blend malicious files into legitimate service behavior. Those techniques let the group keep a stable foothold while limiting obvious signs of compromise.

The custom malware behind the operation

Researchers identified three main tools in the campaign: AppleChris, MemFun, and Getpass. AppleChris served as a primary backdoor, while MemFun acted as a stealthier in-memory backdoor. Getpass, meanwhile, was a custom credential theft tool based on Mimikatz functionality.

Unit 42 says AppleChris could enumerate drives and processes, browse directories, upload and download files, delete data, and execute remote shell commands. Some versions relied on Pastebin as a dead drop resolver to retrieve the real command-and-control address, while one earlier version also used Dropbox as part of the same mechanism.

MemFun was built to stay in memory and avoid leaving a clear disk footprint. Unit 42 says it used techniques such as process hollowing into dllhost.exe, reflective DLL loading, and timestomping to stay hidden. The tool also used session-specific Blowfish keys to encrypt payload exchanges.

Getpass targeted lsass.exe to steal plaintext passwords, NTLM hashes, and authentication data. Researchers said it stored stolen data in a file named WinSAT.db to resemble a legitimate Windows file, which added another layer of camouflage.

Why researchers suspect a China nexus

Unit 42 did not publicly assign the operation to a named threat group, but it assessed the cluster as operating out of China with moderate confidence. The researchers pointed to working-hour patterns aligned with UTC+8, infrastructure that included China-based cloud services, and Simplified Chinese language elements in parts of the command-and-control environment.

Those indicators do not amount to a formal public attribution to a specific Chinese state group. Still, they do support the broader assessment that the campaign fits a China-nexus espionage profile focused on military and geopolitical intelligence.

Key findings at a glance

• Campaign tracked as CL-STA-1087
• Targets included military organizations in Southeast Asia
• Activity dates back to at least 2020
• Suspected China-based origin with moderate confidence
• Main tools included AppleChris, MemFun, and Getpass
• Attackers used PowerShell delays, WMI, .NET commands, DLL hijacking, and Windows services for stealth and persistence
• Primary goal appeared to be strategic intelligence collection, not mass data theft

Malware and tradecraft summary

Component	Role	Notable behavior
AppleChris	Primary backdoor	File operations, process enumeration, remote shell, dynamic C2 retrieval
MemFun	In-memory backdoor	Process hollowing, reflective DLL loading, timestomping
Getpass	Credential theft tool	Harvests passwords and hashes from lsass.exe, stores output as WinSAT.db
Delivery and movement	Post-compromise operations	PowerShell sleep logic, WMI lateral movement, native .NET commands
Persistence	Long-term access	New Windows services and DLL hijacking

This table reflects details published by Unit 42 and aligns with the core structure of the sample article you provided.

Why this campaign matters

This operation highlights how modern state-linked espionage can succeed without noisy malware outbreaks or obvious disruption. The attackers appeared to value stable access, narrow targeting, and long dwell times more than quick wins. That makes detection harder, especially in environments where unmanaged systems, weak visibility, or fragmented logging create blind spots.

The focus on military networks raises the stakes. Systems tied to command, control, communications, intelligence, and executive decision-making can expose sensitive operational data even if attackers do not steal huge volumes of information. In that context, precision matters more than scale.

What defenders should do

• Monitor PowerShell and WMI activity closely
• Investigate long sleep intervals in suspicious scripts
• Audit LSASS access attempts and credential dumping behavior
• Watch for unauthorized Windows service creation
• Hunt for DLL hijacking patterns in system directories
• Correlate endpoint, identity, and network telemetry instead of reviewing them in isolation

FAQ