A threat investigation team has documented a cyber-espionage operation directed at South-East Asian military organizations, which, according to evidence, dates back to at least 2020. The analysts who sign the report of Unit 42 of Palo Alto Networks They group this activity as CL-STA-1087: a family of intrusions with signs of state sponsorship and a consistent pattern of selective intelligence collection.
What distinguishes this campaign is not the mass of stolen data, but the accuracy with which the attackers sought specific documents.- reports on operational capacities, organizational structures and records of collaborations with Western armies - rather than taking over large volumes of irrelevant information. This deliberate search aims at intelligence purposes that could feed strategic analysis and military planning.
From the technical point of view, the operation shows characteristic features of APT groups: custom-designed payloads, stable control and control infrastructures, defence evasion techniques and execution chains in several phases that facilitate persistent and stealth access to compromised systems. Among the tools identified are the backdoors known as AppleChris and MemFun, and an extractor of credentials named Getpass, a custom variant of the well-known Mimikatz utility ( Mimikatz repository).
One of the interesting operational signs is the use of public services as repositories to hide the actual location of the command and control servers. Both ApplChris and MemFun recover C2 addresses stored in publications of Pastebin (a "dead drop solve" according to MITRE taxonomy), encoded in Base64; a variant even uses Dropbox as a main source and Pastebin only as a backup. These traceable publications date from September 2020, which helps to characterize the longevity of the operation.
The mode of introduction of persistence includes known but still effective techniques to avoid controls: ApplChris can be activated by DLL hijacking, and offers features such as disk exploration, directory listing, file transfer, remote command execution and silent process creation. The evolution of the tunnels in turn shows a greater sophistication in the management of network proxys and in the obtaining of the addresses of C2.
MemFun behaves more like a modular platform: its execution is done through a chain of stages where an initial loader injects shellcode that downloads into memory a component that, in turn, gets the configuration from Pastebin and recovers a DLL from the command server. By bringing the DLL in running time, operators can exchange payloads without touching the initially deployed artifacts, which facilitates modifications and furtive updates.
To avoid being detected by automated analysis environments, some variants implement delays in the execution. They instrumentate sleep timers to exceed the typical sandbox observation windows; in addition, MemFun performs anti-forensic checks before altering time marks and uses process holding to run the payload in the context of legitimate processes such as dllhost.exe, thus reducing the disk footprint and complicating the forensic attribution.
The removal of credentials deserves a separate note: Getpass operates on the memory of lsass.exe to try to obtain passwords in clear text, hashes NTLM and other authentication materials, replicating classic tactics of lateral movements and increased privileges. This capacity makes attackers an even greater threat to networks with low segmentation or weak access control configurations.
What does all this mean for military organizations and entities connected to defence operations? First, the campaign shows that the attackers are selective and patient: they maintain latent access for long periods, prioritize targeted collection and apply operational security measures to prolong their stay. Second, the combined use of modular tools, public services as temporary repositories and avoidance techniques makes the defense more than just antivirus signatures.
From a practical point of view, early detections can be based on the monitoring of suspicious PowerShell executions, the monitoring of processes reading lsass.exe and the identification of connections to pasture or storage services that do not fit the legitimate use pattern. Microsoft offers mechanisms to protect the credentials environment and recommendations to mitigate memory theft; for example, functions such as Creative Guard help reduce the risk of direct extraction from lsass ( Microsoft documentation).
It is also recommended to apply basic but effective hygiene controls: network segmentation, minimum privilege policies, continuous process and outgoing connection performance recording and analysis, and the integration of EDR capabilities that can detect memory injection, process hollowing and abnormal DLL use patterns. To understand the specific techniques used by the attackers it is appropriate to review the techniques mapped by MITRE, which detail vectors such as obtaining C2 via public services and the techniques of hijacking and hollowing already mentioned ( Pastebin, DLL hijacking, process holding).
Attribution to an actor based in China remains in the field of informed suspicion: technical indicators and objectives coincide with previous campaigns associated with state operators, but the security community is often cautious about complete attribution without additional corroboration. What is indisputable is the strategic nature of the objective: command and control systems, organizational structures and military cooperation records are exactly the types of data that interest intelligence services.
In short, we are facing an operation that combines patience, precision and current techniques of evasion. For defenders and security officials in sensitive sectors, the lesson is clear: resilience goes through continuous monitoring, behaviour-based detection and measures to protect credentials and processes. Those who manage critical infrastructure must assume that the trained and state-funded attackers operate on a long time horizon and with very specific objective selection criteria, and prepare their defenses accordingly.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...