China-linked Actor CL-STA-1087 Hits Military with New Tools

Executive Summary

Unit 42 has identified a state-sponsored espionage campaign, designated CL-STA-1087, assessed with moderate confidence to be operating out of China. The campaign, active since at least 2020, targets military organizations in Southeast Asia with a focus on strategic intelligence collection. Adversaries have demonstrated operational patience, maintaining dormant access for months before resuming activity. The threat actor deploys a custom toolset, including the newly identified AppleChris and MemFun backdoors and a credential harvesting tool named Getpass, a modified variant of Mimikatz. This activity is characterized by sophisticated evasion techniques, custom malware, and a resilient command and control (C2) infrastructure.

Threat Actor Profile

Attribution

The adversary, designated CL-STA-1087, is suspected to be a China-based state-sponsored threat actor. Attribution is based on several key factors:

• Operational Hours: Observed hands-on-keyboard activity aligns with standard business hours in the UTC+8 timezone.
• Victimology: The campaign demonstrates a specific and sustained focus on military organizations within Southeast Asia.
• Infrastructure: C2 servers were hosted on China-based cloud network infrastructure. One C2 login page was observed using Simplified Chinese.

Objectives and Targeting

The primary objective of CL-STA-1087 is espionage. The actor conducts highly selective data collection, targeting sensitive files related to military operations, organizational structures, Command, Control, Communications, Computers, and Intelligence (C4I) systems, and collaborative efforts with Western armed forces. The focus is on high-value intelligence, not bulk data exfiltration.

Campaign Analysis

Initial Compromise and Persistence

The initial infection vector remains undetermined. The compromise was first detected via suspicious PowerShell activity on an already compromised network, indicating a pre-existing intrusion. The adversary established persistence on an unmanaged endpoint, which was used to execute remote PowerShell scripts that established reverse shells to C2 servers after a six-hour sleep period. Persistence was further solidified via DLL hijacking, where a malicious DLL was placed in the system32 directory and registered to be loaded by the legitimate Volume Shadow Copy Service.

Lateral Movement and Intelligence Gathering

Once a foothold was established, the actor moved laterally across the network using Windows Management Instrumentation (WMI) and native .NET commands. High-value targets included domain controllers, web servers, IT workstations, and executive-level assets. Following lateral movement, the adversary began strategic intelligence collection, searching for specific files pertaining to official meeting records and joint military activities.

Malware Analysis

The actor's toolset includes two novel backdoors and a custom credential harvester, all designed for stealth and persistence.

AppleChris Backdoor

Named for the mutex 0XFEXYCDAPPLE05CHRIS, AppleChris is a versatile backdoor with two primary variants: an older Dropbox variant and a more evolved Tunneler variant. It uses a Dead Drop Resolver (DDR) technique, leveraging Pastebin and, in one variant, Dropbox to dynamically resolve its C2 IP address. To evade detection, it employs sandbox evasion via sleep timers (30 seconds for EXE, 120 for DLL) and uses custom HTTP verbs (PUT, POT, DPF, UPF) for C2 communication. It supports a range of functions including file operations, process enumeration, and remote shell execution.

MemFun Backdoor

MemFun is a modular, multi-stage malware that operates entirely in-memory to minimize its forensic footprint. The attack chain begins with a loader (GoogleUpdate.exe) that uses process hollowing to inject shellcode into a suspended dllhost.exe process. This shellcode then reflectively loads the main downloader DLL. To evade anti-forensics, it performs timestomping to match its file creation time with the Windows System directory and zeros out its own PE headers in memory. C2 communication uses a custom HTTP pattern (Q) and session-specific Blowfish encryption, with the key transmitted in the HTTP Cookie header.

Getpass Credential Harvester

Getpass is a custom-modified version of Mimikatz, packaged as a DLL and designed to masquerade as a legitimate Palo Alto Networks tool. It escalates privileges to SeDebugPrivilege and directly targets the lsass.exe process to extract plaintext passwords, NTLM hashes, and other authentication data from memory. Unlike standard Mimikatz, it automatically runs its harvesting routine and logs the stolen credentials to a file named WinSAT.db.

Indicators of Compromise (IOCs)

C2 Servers

• 154.39.142[.]177
• 154.39.137[.]203
• 8.212.169[.]27
• 109.248.24[.]177
• 8.220.135[.]151

Malware Hashes (SHA256)

• AppleChris (Tunneler): 9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500
• AppleChris (Dropbox): 413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f
• MemFun: ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad
• Getpass: ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f

Mitigation and Defensive Posture

Organizations must enhance their defensive posture to counter these TTPs. Monitor for suspicious PowerShell execution, especially commands with long sleep timers. Implement robust endpoint detection and response (EDR) to identify process hollowing, DLL hijacking, and direct memory access to lsass.exe. Network traffic should be analyzed for anomalies, including connections to known Dead Drop Resolvers like Pastebin and the use of non-standard HTTP verbs. Implement strict controls on unmanaged devices and monitor for lateral movement via WMI. Credential Guard and other measures to protect lsass.exe memory are highly recommended.