China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A sophisticated and long-running cyber espionage campaign, tracked as\u00a0CL-STA-1087, has been quietly targeting military organizations across Southeast Asia since at least 2020. <\/p>\n
The operation, assessed with moderate confidence to be linked to a China-aligned threat actor, focuses on collecting strategic and operational intelligence rather than simply stealing large amounts of data. <\/p>\n
The attackers prioritized staying hidden, using custom-built tools and careful techniques to avoid detection over time.<\/p>\n
The campaign first came to light when endpoint security tools<\/a> flagged suspicious PowerShell activity on an unmanaged endpoint within a targeted military network. <\/p>\n Investigators quickly realized this was not a fresh intrusion \u2014 the attackers had already established a foothold, running delayed execution scripts that connected back to multiple command-and-control (C2) servers. <\/p>\n These scripts were designed to sleep for six-hour intervals between actions, a deliberate move to slip past automated detection tools that watch for unusual spikes in activity.<\/p>\n PolySwarm analysts identified samples of the primary backdoor<\/a> used in this campaign, AppleChris, confirming its active role in the espionage operation. <\/p>\n After going quiet for several months, the threat actors re-emerged and began moving laterally across the compromised networks. <\/p>\n They used Windows Management Instrumentation (WMI) and native Windows .NET commands to spread malware to domain controllers, web servers, IT workstations, and executive systems \u2014 all high-value targets within a military environment. <\/p>\n Their focus on Command, Control, Communications, Computers, and Intelligence (C4I) systems reveals how deliberate this operation truly was.<\/p>\n Palo Alto\u2019s Unit 42 reported on this activity, shedding more light on the scope and sophistication of the campaign. <\/p>\n The attackers used three main tools: AppleChris and MemFun as custom backdoors, and Getpass, a modified version of the well-known credential-theft tool Mimikatz<\/a>. <\/p>\n Their operational patterns consistently aligned with UTC+8 business hours, and their infrastructure included China-based cloud services, with Simplified Chinese language elements found within parts of the C2 environment. <\/p>\n While no specific group has been formally named, these indicators collectively point to a China-nexus origin.<\/a><\/p>\n The campaign\u2019s persistence strategy was equally deliberate. Attackers created new Windows services and performed DLL hijacking<\/a> by placing malicious DLL files inside the system32 directory, registering them through legitimate Windows services to blend in. <\/p>\n These methods gave the threat actors a stable, long-term presence within compromised environments, letting them operate quietly in the background without raising alarms.<\/a><\/p>\n At the core of this campaign sits a layered toolkit built for stealth and longevity. AppleChris, the primary backdoor, retrieved its C2 server addresses dynamically from Pastebin, and earlier versions also used Dropbox. <\/p>\n This approach, known as a Dead Drop Resolver (DDR) technique, allowed the malware to fetch encrypted connection data at runtime. <\/p>\n The retrieved data was Base64-decoded and then decrypted using an embedded RSA-1024 private key, meaning no static network indicators were left for defenders to find. <\/p>\n Once fully active, AppleChris supported file operations, process enumeration, and remote shell execution through custom HTTP verbs.<\/a><\/p>\n The secondary backdoor, MemFun, was built to run entirely in memory, making it much harder to detect on disk. <\/p>\n Its infection chain started with a file disguised as\u00a0GoogleUpdate.exe, which launched an in-memory downloader that fetched a final DLL payload from the C2 server. <\/p>\n MemFun used timestomping, process hollowing into dllhost.exe, and reflective DLL loading<\/a> to stay hidden, while session-specific Blowfish keys ensured each payload exchange was uniquely encrypted.<\/a><\/p>\n Credential theft was handled by Getpass, which silently pulled plaintext passwords, NTLM hashes, and authentication tokens from the lsass.exe process. <\/p>\n Unlike standard Mimikatz, this variant ran automatically and saved stolen data to a file named\u00a0WinSAT.db, mimicking a legitimate Windows system file.<\/a><\/p>\n Organizations in the defense sector should enforce strict monitoring of PowerShell and WMI activity, apply DLL search order hardening, and monitor all LSASS access attempts. <\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCustom Backdoors and Credential Theft<\/strong><\/h2>\n