Chinese Hackers Target Southeast Asian Militia with AppleChris and MemFun Malware

An alleged cyberespionage operation in China has targeted military organizations in Southeast Asia as part of a government-sponsored campaign dating back to at least 2020.

Palo Alto Networks Unit 42 tracks threat activity under the moniker CL-STA-1087where CL refers to cluster, and STA represents state-based motivation.

“This operation demonstrated strategic operational patience and a focus on highly targeted intelligence gathering, rather than mass data theft,” said security researchers Lior Rochberger and Yoav Zemah. “The attackers who went after the group sought and collected detailed files related to military capabilities, organizational structures, and efforts to cooperate with Western armed forces.”

The campaign exhibits symptoms commonly associated with advanced persistent threat (APT) operations, including carefully designed delivery methods, defense avoidance strategies, stable operational infrastructure, and deployment of custom payloads designed to support continued unauthorized access to compromised systems.

Tools used by the threat actor in the risky operation include backdoors called AppleChris and MemFun, and an authentication harvester called Getpass.

The Cybersecurity vendor said it discovered the planned intrusion after identifying a suspicious PowerShell execution, which allows the script to go into a sleep state for six hours and create shells that fall back on an actor-controlled Command-and-control (C2) server. The exact access vector used in the attack is still unknown.

The infection sequence involves the deployment of AppleChris, different versions of which are downloaded to all target locations following lateral movement to maintain persistence and avoid signature-based detection. Threat actors have also been seen conducting searches related to official meeting records, joint military operations, and detailed operational skills assessments.

“The attackers showed a strong interest in files related to military structures and strategies, including command, control, communications, computers, and intelligence (C4I) systems,” the researchers noted.

Both the AppleChris and MemFun variants are designed to access the shared Pastebin account, which acts as a dead drop solver to retrieve the actual C2 address stored in Base64-decoded format. One version of AppleChris also relies on Dropbox to extract C2 data, with a Pastebin-based method used as a fallback option. Pastebin’s coverage dates back to September 2020.

Launched via a DLL hijack, AppleChris initiates communication with the C2 server to accept commands that allow it to perform drive enumeration, directory listing, file upload/download/delete, process enumeration, remote shell execution, and silent process creation.

The second tunnel variant represents the evolution of its predecessor, using just Pastebin to find the C2 address, in addition to introducing advanced network proxy capabilities.

“To bypass automatic security programs, some malware types use sandbox escape techniques during execution,” said Unit 42. “This variant causes execution delays by using sleep timers of 30 seconds (EXE) and 120 seconds (DLL), which go beyond the normal monitoring windows of automatic sandboxes.”

MemFun is presented in a series of several stages: the first loader includes the shellcode responsible for launching the memory controller, whose main purpose is to get the C2 configuration information from Pastebin, to communicate with the C2 server, and to find the DLL, which, in turn, triggers the backdoor release.

Since the DLL is downloaded from C2 at runtime, it gives malicious actors the ability to easily deliver additional payloads without having to change anything. This behavior turns MemFun into a malware platform as opposed to a static backend like AppleChris.

MemFun’s execution begins with a dropper that performs anti-forensic checks before changing the file’s creation timestamp to match the Windows System directory’s creation time. Next, it injects a large payload into the memory of the default process associated with “dllhost.exe” using a technique called process hollowing.

By doing so, the malware works under the guise of a legitimate Windows process to fly under the radar and avoid leaving additional artifacts on the disk.

Also used in the attack is a custom version of Mimikatz known as Getpass that escalates privileges and attempts to extract secret passwords, NTLM hashes and authentication data directly from the memory of the “lsass.exe” process.

“The group’s threat actor demonstrated patience, efficiency and security awareness,” Unit 42 concluded. “They maintained access to the plane for months while focusing on precision intelligence gathering and implementing strict security measures to ensure the longevity of the campaign.”