CL-STA-1087: China-Linked Espionage Cluster Targets Southeast Asian Militaries with Custom Backdoors

RedSheep Reports | March 17, 2026

An espionage operation assessed with moderate confidence to be Chinese state-sponsored has been quietly siphoning military intelligence from Southeast Asian armed forces since at least 2020. Palo Alto Networks' Unit 42 published research detailing the activity cluster they track as CL-STA-1087, which deployed two custom backdoors, AppleChris and MemFun, alongside a Mimikatz-derived credential harvester called Getpass [1]. The attackers weren't after bulk data. They systematically hunted for files related to military capabilities, organizational structures, and collaborative efforts with Western armed forces [1].

The campaign's disclosure arrives amid broader U.S. and allied government warnings about Chinese cyber operations worldwide. In August 2025, CISA issued a joint advisory covering Chinese APT actors (Salt Typhoon, GhostEmperor, OPERATOR PANDA, RedMike, and UNC5807) targeting telecommunications and critical infrastructure across the U.S., Australia, Canada, New Zealand, and the UK [2]. CL-STA-1087 fits this pattern of sustained, patient intelligence collection by Beijing-aligned operators, though Unit 42 has not formally attributed it to a named APT group.

Background: The Threat Cluster

CL-STA-1087 is a Unit 42 designation, not a formal attribution to a known Chinese APT [1]. The cluster's tradecraft, target selection, and infrastructure choices all point strongly toward a China-nexus actor. The operators demonstrated what researchers described as "strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft" [3].

The campaign's focus on military capabilities, organizational structures, and collaborative efforts with Western armed forces within Southeast Asian militaries makes the intelligence value clear [3]. These systems coordinate military operations, manage logistics, and handle secure communications. Access to them provides insight into doctrine, readiness, capability gaps, and the extent of defense partnerships with Western nations.

This kind of targeting aligns with Beijing's long-standing strategic priorities in the South China Sea and broader Indo-Pacific region. Understanding how regional militaries coordinate with the U.S., Australia, and other Western partners is a core intelligence requirement for Chinese military planning.

AppleChris: The Primary Backdoor

Unit 42 named the first backdoor AppleChris after the mutex 0XFEXYCDAPPLE05CHRIS that appears in its infection chain [1]. AppleChris is a relatively static backdoor, meaning its core functionality doesn't change dramatically across variants. It arrives on target systems through DLL search order hijacking, with the malicious payload disguised as swrpv.sys [1].

The malware masquerades as legitimate software processes. Researchers observed it deployed alongside GoogleUpdate.exe and update.exe, filenames chosen to blend into environments where Google software update mechanisms or generic system updates are common [1].

AppleChris uses Dead Drop Resolvers (DDRs) hosted on pastebin.com and dropbox.com to retrieve its C2 configuration [1]. This technique is effective because traffic to Pastebin and Dropbox looks normal in most enterprise environments. The actual C2 infrastructure sits behind these DDRs, with traffic routed through multiple IP addresses across different hosting providers.

Some AppleChris variants include sandbox evasion through sleep timers at runtime, designed to outlast the analysis windows of automated security systems [3]. A sandbox that only monitors execution for a few minutes will miss the malware's actual behavior entirely.

MemFun: The Modular Platform

The second backdoor, MemFun, represents a more sophisticated capability. Unlike AppleChris, MemFun is a multi-stage modular platform [3]. It injects itself into legitimate processes through process hollowing, specifically targeting dllhost.exe [1]. Process hollowing lets the malware run inside a trusted Windows process, making detection through process-level monitoring much harder.

MemFun's modular design means operators can load additional capabilities on demand without deploying entirely new binaries. This reduces the footprint on compromised systems and limits the artifacts available to incident responders. The platform approach also suggests a mature development pipeline behind the operation: someone is building and maintaining a flexible toolset, not just deploying one-off scripts.

The contrast between AppleChris and MemFun is notable. AppleChris appears to serve as the initial foothold and persistent access mechanism. MemFun gets deployed for deeper operations once the attackers have established confidence in their access. This two-tier approach mirrors the operational patterns seen in other Chinese espionage campaigns where different tools serve different phases of the kill chain.

Getpass: Credential Harvesting

For credential theft, CL-STA-1087 deployed Getpass, a custom tool derived from the well-known Mimikatz framework [1]. Getpass targets lsass.exe, the Local Security Authority Subsystem Service process that handles Windows authentication [3]. Extracting credentials from LSASS memory is one of the oldest and most reliable techniques for lateral movement in Windows environments.

Getpass logs its output to WinSAT.db, a filename that resembles a legitimate Windows System Assessment Tool database [1].

C2 Infrastructure

The campaign used a distributed C2 infrastructure spanning multiple hosting providers. Unit 42 identified eight C2 IP addresses associated with the operation [1]. Several of these sit in Alibaba Cloud IP ranges (the 8.212.x.x and 8.220.x.x blocks), which is consistent with, though not exclusively indicative of, Chinese-origin infrastructure.

The DDR approach using Pastebin and Dropbox as intermediaries gives the operators flexibility to rotate C2 servers without modifying the malware on compromised endpoints. The malware checks the DDR, gets the current C2 address, and connects. Rotating the actual C2 server only requires updating a Pastebin post or Dropbox file.

The operators also maintained dormant access for months at a time, activating their implants only when needed for specific collection tasks [3]. This patience makes the campaign much harder to detect through behavioral analysis. A backdoor that phones home once every few weeks generates far less anomalous traffic than one with a regular beacon interval.

IOC Table

MITRE ATT&CK Techniques

Note: Initial access vector remains unknown [3]

Detection and Hunting

Network-level indicators: Monitor for outbound connections to the C2 IPs listed above. More broadly, look for anomalous HTTPS connections to Pastebin and Dropbox that originate from server infrastructure or endpoints that shouldn't be accessing those services. Baseline your Pastebin traffic: most organizations have very little, and sudden access from a server is suspicious.

Endpoint detection: Hunt for swrpv.sys on disk and WinSAT.db files outside of the legitimate %WINDIR%\Performance\WinSAT directory. Look for GoogleUpdate.exe or update.exe running from unexpected paths, particularly temp directories or user profile folders.

Process behavior: Monitor dllhost.exe for signs of process hollowing. Legitimate dllhost.exe instances are spawned by svchost.exe. Instances with unusual parent processes, injected threads, or unexpected network connections warrant investigation.

LSASS access: Getpass targets lsass.exe for credential extraction [3]. Sysmon Event ID 10 (ProcessAccess) with lsass.exe as the target and unusual SourceImage values is a strong signal. Windows Credential Guard, where deployed, mitigates this entire class of attack.

Persistence artifacts: Check for suspicious entries in Registry Run Keys (HKLM/HKCU \Software\Microsoft\Windows\CurrentVersion\Run) pointing to the filenames identified in the IOC table [1].

Analysis

CL-STA-1087 is a focused, professionally operated espionage campaign. The multi-year timeline, custom tooling, and deliberate target selection all indicate a well-resourced actor with specific collection requirements. This isn't opportunistic access for sale on criminal forums. The intelligence targets (military capabilities, organizational structures, Western military cooperation documents) map directly to Chinese strategic interests in the Indo-Pacific [1][3].

The campaign's operational security deserves attention. Using DDRs on legitimate cloud services, maintaining dormant access periods, and employing sandbox evasion all demonstrate awareness of defender capabilities. The two-tier backdoor approach (AppleChris for persistence, MemFun for deeper operations) suggests operational maturity and possibly separate development teams for different tools.

CISA's August 2025 advisory on Chinese cyber operations [2] provides important context. CL-STA-1087 is one piece of a much larger apparatus. The same strategic patience and infrastructure tradecraft appear across Salt Typhoon's telecommunications targeting, GhostEmperor's operations, and now this military-focused cluster. The tooling differs, but the operational philosophy is consistent.

Southeast Asian defense organizations face a particularly difficult challenge. Many lack the monitoring infrastructure and incident response capabilities of their Western counterparts, yet they possess intelligence that is directly relevant to Chinese military planning. The gap between the threat and the defense is significant.

References

[1] Palo Alto Networks Unit 42, "Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia," https://unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/

[2] CISA, "Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System," https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a (August 2025)

[3] The Hacker News, "Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware," https://thehackernews.com/2026/03/chinese-hackers-target-southeast-asian.html