The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

China-Linked Espionage Campaign Targets Southeast Asian Military Networks

Mar 23, 2026 2:53:38 PM / by The Hivemind

CHINALINKED ESPIONAGE 2026Verticals Targeted: Defense
Regions Targeted: Southeast Asia
Related Families: AppleChris, MemFun, Getpass

Executive Summary

A long-running espionage campaign, tracked as CL-STA-1087, is targeting Southeast Asian military organizations using custom backdoors and credential harvesting tools. The activity demonstrates sustained persistence, operational discipline, and a focus on high-value intelligence collection.

Key Takeaways

  • The threat actors deployed custom backdoors, including AppleChris and MemFun, leveraging Dead Drop Resolver (DDR) techniques via Pastebin and Dropbox.
  • They used a modified Mimikatz variant, Getpass, for credential harvesting from LSASS memory.
  • The threat actors maintained long-term persistence with dormant periods and reactivation aligned to operational objectives.
  • Targeted intelligence collection focused on military structures, C4I systems, and joint operations.

The Campaign

The CL-STA-1087 activity cluster represents a sustained and highly targeted cyber espionage campaign assessed with moderate confidence to be linked to a China-aligned threat actor. Active since at least 2020, the campaign focuses on intelligence collection from Southeast Asian military organizations, prioritizing specific operational and strategic data over large-scale exfiltration. Palo Alto’s Unit 42 reported on this activity.

Initial detection occurred through suspicious PowerShell activity identified by endpoint security tooling, which revealed an existing compromise. The threat actors had established persistence on an unmanaged endpoint, using delayed execution scripts that initiated reverse shells to multiple C2 servers. These scripts incorporated extended sleep intervals of six hours, likely intended to evade automated detection systems.

Following a period of dormancy lasting several months, the attackers resumed operations and initiated lateral movement across the network. The campaign leveraged Windows Management Instrumentation (WMI) and native Windows .NET commands to deploy malware across critical infrastructure, including domain controllers, web servers, IT workstations, and executive systems. Persistence mechanisms included the creation of new services and DLL hijacking, specifically through the placement of malicious DLLs within the system32 directory and registration through legitimate Windows services.

Backdoors and Credential Harvesting

The primary backdoor, AppleChris, was deployed in multiple Portable Executable (PE) variants. These samples utilized a Dead Drop Resolver (DDR) technique to dynamically retrieve C2 infrastructure from Pastebin and, in earlier variants, Dropbox. Retrieved data was Base64-decoded and decrypted using an embedded RSA-1024 private key, enabling the malware to resolve C2 infrastructure without exposing static indicators. AppleChris supports a range of capabilities including file operations, process enumeration, and remote shell execution, with communication conducted through custom HTTP verbs.

A secondary backdoor, MemFun, operates as a modular, multi-stage payload executed entirely in memory. The infection chain includes a loader (GoogleUpdate.exe), an in-memory downloader, and a final DLL payload retrieved from the C2 server. MemFun employs multiple evasion techniques, including timestomping, process hollowing into dllhost.exe, and reflective DLL loading. It also implements session-specific encryption using dynamically generated Blowfish keys, allowing the C2 server to deliver encrypted payloads tailored to each execution instance.

Credential harvesting was conducted using Getpass, a custom Mimikatz variant. This tool extracts plaintext credentials, NTLM hashes, and authentication data from the lsass.exe process by targeting multiple Windows authentication packages. Unlike standard Mimikatz, this variant executes automatically and stores harvested data in a file named WinSAT.db, which is designed to resemble a legitimate Windows system database.

Attribution

This activity has not been linked to a particular threat actor group. However, the attackers demonstrated consistent operational patterns aligned with UTC+8 business hours. Infrastructure analysis identified the use of China-based cloud services, along with Simplified Chinese language elements observed within parts of the C2 environment. For these reasons, the threat actors are thought to be of China nexus.

Analyst Commentary

This campaign reflects a mature and persistent espionage operation characterized by long-term access, segmented infrastructure, and targeted intelligence collection. The use of custom tooling, encrypted C2 resolution, and in-memory execution techniques indicates a strong emphasis on maintaining stealth and operational longevity within compromised environments.

IOCs

PolySwarm has a sample of AppleChris.

 

413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f


Click here to view all samples of AppleChris in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, APT, military targeting, China cyber espionage, DDR technique, AppleChris malware, MemFun backdoor, Pastebin C2, credential harvesting

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More