Suspected China-nexus threat actors have maintained persistent, years-long access to the networks of military organizations in Southeast Asia. A recent threat report from Palo Alto Networks' Unit 42 incident response team details this extensive cyberespionage campaign, attributed with moderate confidence to state-sponsored operators. Tracked as CL-STA-1087, the activity was initially discovered when newly deployed agents for the Cortex XDR platform detected unauthorized PowerShell execution within an affected organization's network.
Following the initial detection, security researchers traced the unauthorized access back to at least 2020. While the precise initial entry method remains unconfirmed, responders identified novel backdoor malware and a customized credential-gathering tool called Getpass. The threat actors demonstrated strategic operational patience, focusing on targeted intelligence collection rather than bulk data exfiltration. According to Unit 42 researchers Lior Rochberger and Yoav Zemah, the operators actively searched for highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.
Custom tooling and dead-drop resolvers
The group deployed several previously undocumented tools, including two backdoors designated as AppleChris and MemFun. Both variants utilize dead-drop resolvers (DDRs)—a technique where threat actors post encrypted command-and-control (C2) routing information on legitimate external websites.
In this campaign, the operators used a shared Pastebin repository containing an encrypted C2 IP address, accessible only through a two-stage decryption process. This cryptographic approach protects the actual C2 server information; even if the Pastebin account is discovered, the corresponding private key remains embedded solely within the malware.
The operators also used a Dropbox account as a DDR, likely maintaining communications with multiple compromised networks over an extended period. The malware employed additional evasion tactics, including delayed execution to bypass analysis sandboxes and timestomping—modifying file time attributes in Windows to conceal new files or changes to existing ones.
Rochberger noted that the individuals behind CL-STA-1087 are highly skilled, developing sophisticated custom malware and demonstrating significant discipline. The operators maintained undetected access for months, went dormant when necessary, and executed precision intelligence collection over multiple years. This methodical approach contrasts with other threat groups that prioritize rapid, high-visibility data extraction but are often detected due to the noise they generate in an environment.
Defending against cloud service abuse
A critical component of the CL-STA-1087 methodology is the abuse of legitimate web and cloud services for C2 infrastructure. This mirrors broader industry observations, such as recent reports of advanced threat groups utilizing platforms like Google Calendar to mask operations. Because these services blend in with normal internet traffic, they are frequently overlooked by security monitoring tools.
To defend against these methods, organizations are encouraged to strictly govern how their networks interact with external storage and content hosting services. If a facility does not officially use or approve services like Dropbox or Pastebin, security teams should restrict access to those domains. At a minimum, organizations should implement comprehensive monitoring and alerting for any anomalous traffic directed to these platforms.
Security practitioners can also review the published indicators of compromise (IOCs) for CL-STA-1087, including SHA256 hashes for the AppleChris and MemFun backdoors and known C2 IP addresses, to proactively evaluate and secure their environments.