China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS СLOUD SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years Researchers uncovered an extensive cyberespionage campaign that used novel backdoors and familiar evasion techniques to maintain persistent access to regional targets. Rob Wright,Senior News Director,Dark Reading March 16, 2026 4 Min Read SOURCE: JAKUB KRECHOWICZ VIA ALAMY STOCK PHOTO More details on suspected China-nexus actors quietly establishing years-long access to the networks of military organizations in Southeast Asia have come to light. In a threat report last week, Palo Alto Networks' Unit 42 incident response team detailed how it uncovered an extensive cyberespionage campaign, which it attributed with moderate confidence to Chinese state-sponsored actors — hard on the heels of a similar discovery of a years-long campaign targeting critical sectors in the region. The threat activity, which Unit 42 tracks as CL-STA-1087, was first discovered when newly deployed agents for Palo Alto Networks' Cortex XDR platform detected suspicious PowerShell activity in a victim's network. After an investigation, Unit 42 researchers traced the threat activity to at least 2020. While it's unclear how the attackers first gained access to the organization, the researchers discovered novel backdoor malware and a customized Getpass credential stealing tool. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania "The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft," Palo Alto Networks threat researchers Lior Rochberger and Yoav Zemah wrote in the report. "The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces." Who's Behind the CL-STA-1087 Campaign? It's unclear which China-nexus threat group is behind the cyberespionage campaign. The attackers deployed several tools that have not been documented before, including two backdoors that researchers named "AppleChris" and "MemFun." Both backdoors use dead-drop resolvers (DDRs), a technique used by other nation-state threat groups to post content on legitimate web sites with embedded malicious domains or IP addresses. Loading... In this case, the China-nexus actors used a shared Pastebin repository, which contains an encrypted command-and-control (C2) IP address that can only be accessed via a two-stage decryption process. "This cryptographic approach ensures that even if the Pastebin account is discovered, the actual C2 server information remains protected, as the corresponding private key is embedded within the malware," Rochberger and Zemah wrote. The attackers also used a Dropbox account as a DDR, and likely maintained communications with multiple networks over a long period of time through these accounts, the researchers said. Additionally, CL-STA-1087's malware employed other evasion tactics such as delayed execution to bypass sandboxes and a technique known as "timestomping," in which attackers modify file time attributes in Windows to conceal new files or changes made to existing files. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years Rochberger, principal threat research at Palo Alto Networks, tells Dark Reading that whoever is behind the campaign, the threat actors are "both highly skilled and focused," developing sophisticated custom malware with advanced evasion techniques. Perhaps more importantly, she says, the attackers demonstrated impressive patience throughout the campaign.  "They maintained undetected access for months, went dormant when necessary, and executed precision intelligence collection over multiple years. That level of discipline is harder to achieve than just building good malware," she says.  Rochberger also says there is usually a split between China-nexus threat groups focused on long-term espionage and others that are focused on "smash-and-grab" attacks. "Unlike CL-STA-1087, these actors go in fast, steal whatever information they can, but often get caught because their activity can be characterized as somewhat “noisy” in an environment," she says.  Defending Against CL-STA-1087 Threats One of the key elements in the CL-STA-1087 attacks is the use of legitimate web and cloud services for malicious activity. Rochberger says Palo Alto Networks has seen an increase in the abuse of legitimate services for C2 infrastructure, "and that trend has accelerated with the rise of AI tools and cloud services that offer easy, anonymous access." Related:LatAm Now Faces 2x More Cyberattacks Than US Because of the rise in abuse, Rochberger urges organizations to be more strict about how their networks interact with even brand-name services like Dropbox and Pastebin. "If your organization doesn't officially use or approve certain content hosting or storage services, we'd strongly recommend restricting access," she says. "At minimum, organizations should implement robust monitoring and alerting for any suspicious traffic to these platforms. The reality is that threat actors specifically choose these services because they blend in with normal internet traffic and are often overlooked by security teams." Palo Alto Networks also published indicators of compromise (IOCs) for CL-STA-1087, including the SHA256 hashes of AppleChris variants and MemFun backdoors and IP addresses of the C2 servers.   Read more about: DR Global Asia Pacific About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE