Executive Summary

A highly sophisticated cyber espionage campaign, attributed to a China-based threat cluster, has been actively targeting Southeast Asian military organizations since at least 2020. This campaign leverages two advanced custom malware families, AppleChris and MemFun, alongside a credential harvesting tool known as Getpass (a customized variant of Mimikatz). The attackers exhibit advanced operational security, strategic patience, and a clear focus on exfiltrating sensitive military intelligence, including details on command structures, joint operations, and collaborations with Western defense partners. The campaign’s technical sophistication, stealth, and persistence underscore the evolving threat landscape facing defense and government sectors in the region.

Threat Actor Profile

The threat actor behind this campaign is tracked as CL-STA-1087 by Palo Alto Networks Unit 42. While not explicitly mapped to a public APT designation, the group’s tactics, techniques, and procedures (TTPs) are consistent with Chinese state-sponsored cyber espionage operations. The cluster demonstrates a high degree of operational discipline, including the use of time zone-aligned activity (UTC+8), infrastructure and malware development practices typical of Chinese APTs, and a focus on long-term, intelligence-driven objectives. The group’s targeting of military and defense organizations in Southeast Asia aligns with broader strategic interests attributed to Chinese cyber operations.

Technical Analysis of Malware/TTPs

The campaign employs a multi-stage infection chain, advanced persistence mechanisms, and custom malware designed for stealth and flexibility.

AppleChris is a modular backdoor with two primary variants: the older Dropbox variant and the newer Tunneler variant. The Dropbox variant uses Dropbox as a dead drop resolver (DDR) for command-and-control (C2) address retrieval, while the Tunneler variant introduces proxy tunneling capabilities and leverages Pastebin for DDR. Both variants achieve persistence via DLL hijacking, specifically by registering malicious DLLs (such as swprv32.sys) as components of the Windows Volume Shadow Copy Service. The malware employs sandbox evasion techniques, including sleep timers (30 seconds for EXE, 120 seconds for DLL), and enforces a unique mutex (0XFEXYCDAPPLE05CHRIS) to prevent multiple instances. AppleChris supports a wide range of functions, including drive and directory enumeration, file upload/download/deletion, process enumeration, remote shell execution, silent process creation, and proxy tunneling. Communication with the C2 server is obfuscated using custom HTTP verbs such as PUT, POT, DPF, UPF, CPF, and LPF, and C2 addresses are decrypted using an embedded RSA-1024 private key.

MemFun is a multi-stage, modular backdoor that operates entirely in memory to evade detection. The initial loader, typically masquerading as GoogleUpdate.exe, performs timestomping and process hollowing, injecting the payload into legitimate processes like dllhost.exe. C2 discovery is achieved via Pastebin, with session-specific Blowfish encryption and a custom HTTP pattern (using the verb Q instead of GET/POST). The payload is reflectively loaded as a DLL, and the malware zeroes out PE headers in memory to further evade forensic analysis. Additional evasion techniques include anti-debugging and token impersonation to bypass network proxies.

Getpass is a custom variant of Mimikatz designed for credential harvesting. It targets lsass.exe to extract plaintext passwords, NTLM hashes, and other authentication data. The tool masquerades as a legitimate Palo Alto Networks utility and logs output to a file named WinSAT.db. It escalates privileges by acquiring SeDebugPrivilege, enabling it to access sensitive process memory.

The attackers utilize a combination of malicious PowerShell scripts, DLL hijacking, and the creation of new Windows services for persistence. Lateral movement is achieved using Windows Management Instrumentation (WMI) and native .NET commands, allowing the malware to propagate across domain controllers, web servers, IT workstations, and executive endpoints.

Exploitation in the Wild

The campaign has been observed targeting military organizations across Southeast Asia, with a particular focus on intelligence related to C4I (Command, Control, Communications, Computers, and Intelligence) systems, joint military activities, and organizational hierarchies. The attackers maintain dormant access for extended periods, often months, before initiating data exfiltration. Operational security is maintained through the rotation of C2 infrastructure, use of dead drop resolvers (Pastebin and Dropbox), and activity patterns aligned with Chinese business hours. The attackers conduct highly selective file searches, credential harvesting, and exfiltration of sensitive documents, demonstrating a clear intelligence-gathering mandate.

Victimology and Targeting

The primary victims are military and defense organizations in Southeast Asia, including domain controllers, web servers, IT workstations, and executive-level assets. The campaign is regionally focused, with no specific countries named in public reporting, but the targeting aligns with strategic interests in the region. The attackers prioritize assets likely to contain sensitive operational and organizational information, and their activity suggests a deep understanding of military network architectures and workflows.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to detect and mitigate the threats posed by AppleChris, MemFun, and Getpass. Key recommendations include:

Continuous monitoring for indicators of compromise (IOCs), such as unusual PowerShell activity, DLL hijacking in system directories, and outbound connections to known C2 IP addresses or Pastebin/Dropbox for C2 resolution, is essential. Security teams should proactively hunt for suspicious services or DLLs registered as Volume Shadow Copy components, files named WinSAT.db in atypical locations, and processes exhibiting the mutex 0XFEXYCDAPPLE05CHRIS. Endpoint detection and response (EDR) solutions should be configured to alert on process hollowing, reflective code loading, and privilege escalation attempts involving SeDebugPrivilege. Network security controls should block outbound connections to the identified C2 infrastructure and monitor for anomalous HTTP verbs in network traffic. Regularly update and patch all Windows systems, enforce least privilege principles, and conduct periodic credential hygiene reviews to limit the impact of credential harvesting tools like Getpass. In the event of detection, initiate a comprehensive forensic investigation and consider engaging with specialized incident response providers.

References

The Hacker News: Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware, Palo Alto Networks Unit 42: Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia (PDF), Reddit Discussion, MITRE ATT&CK Techniques, LinkedIn Post

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber threats across their extended supply chain. Our platform leverages cutting-edge threat intelligence, automation, and analytics to provide actionable insights and enhance your organization’s cyber resilience. For questions or further information, we are happy to assist at ops@rescana.com.