CL-STA-1087

CL-STA-1087 is a suspected China-linked, state-backed cyber espionage cluster tracked by Palo Alto Networks Unit 42. The activity has targeted military organizations in Southeast Asia since at least 2020 and is assessed as focused on long-term intelligence collection rather than bulk data theft. Reported collection priorities included military capabilities, organizational structures, C4I systems, official meeting records, joint military activities, operational capability assessments, and cooperation with Western armed forces. The campaign demonstrated persistent, stealthy tradecraft, including long-term access on unmanaged endpoints, dormant periods lasting months, reverse shells to multiple command-and-control servers, and lateral movement using WMI and .NET commands. Unit 42 reported APT-like characteristics including tailored delivery methods, defense evasion, stable infrastructure, and custom payload deployment. The exact initial access vector is currently not available. Observed malware and tooling included the AppleChris and MemFun backdoors and a custom credential harvester called Getpass. AppleChris was deployed via DLL hijacking and evolved across variants, including a tunneler variant with proxy capabilities. It supported file access, upload/download, deletion, drive and directory enumeration, process enumeration and control, remote shell execution, and silent process creation. AppleChris used sandbox evasion and delayed execution, generated host-tied session IDs, and resolved command-and-control infrastructure through encrypted or Base64-decoded dead drop content on Pastebin; one variant also used Dropbox with Pastebin as fallback. MemFun was a modular, multi-stage backdoor delivered through a loader, shellcode injection, an in-memory downloader, and a final DLL fetched at runtime from command-and-control. It operated largely in memory and used process hollowing, reflective DLL loading, timestomping, memory zeroing, and anti-forensic checks to reduce artifacts. Both AppleChris and MemFun used custom HTTP verbs/commands for command-and-control communications and shared Pastebin-based dead drop resolution. Getpass was described as a custom Mimikatz DLL masquerading as a Palo Alto tool. It escalated privileges and harvested credentials from lsass.exe memory, including plaintext passwords, NTLM hashes, and authentication data from multiple Windows authentication packages, with stolen data logged to WinSAT.db. Known alias in the provided content: CL-STA-1087.