Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware

Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Ravie LakshmananMar 13, 2026Cyber Espionage / Military Security A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020. Palo Alto Networks Unit 42 is tracking the threat activity under the moniker CL-STA-1087, where CL refers to cluster, and STA stands for state-backed motivation. "The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft," security researchers Lior Rochberger and Yoav Zemah said. "The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces." The campaign exhibits hallmarks commonly associated with advanced persistent threat (APT) operations, including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom payload deployment designed to support sustained unauthorized access to compromised systems. The tools used by the threat actor in the malicious activity include backdoors named AppleChris and MemFun, and a credential harvester called Getpass. The cybersecurity vendor said it detected the intrusion set after identifying suspicious PowerShell execution, allowing the script to enter into a sleep state for six hours and then create reverse shells to a threat actor-controlled command-and-control (C2) server. The exact initial access vector used in the attack remains unknown. The infection sequence involves the deployment of AppleChris, different versions of which are dropped across target endpoints following lateral movement to maintain persistence and evade signature-based detection. The threat actors have also been observed conducting searches related to official meeting records, joint military activities, and detailed assessments of operational capabilities. "The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems," the researchers noted. Both AppleChris variants and MemFun are designed to access a shared Pastebin account, which acts as a dead drop resolver to fetch the actual C2 address stored in Base64-decoded format. One version of AppleChris also relies on Dropbox to extract the C2 information, with the Pastebin-based approach used as a fallback option. The Pastebin pastes date back to September 2020. Launched via DLL hijacking, AppleChris initiates contact with the C2 server to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation. The second tunneler variant represents an evolution of its predecessor, using just Pastebin to get the C2 address, in addition to introducing advanced network proxy capabilities. "To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime," Unit 42 said. "These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes." MemFun is launched by means of a multi-stage chain: an initial loader injects shellcode responsible for launching an in-memory downloader, whose main purpose is to retrieve C2 configuration details from Pastebin, communicate with the C2 server, and obtain a DLL that, in turn, triggers the execution of the backdoor. Since the DLL is fetched from the C2 at runtime, it gives threat actors the ability to easily deliver other payloads without having to change anything. This behavior transforms MemFun into a modular malware platform as opposed to a static backdoor like AppleChris. The execution of MemFun begins with a dropper that runs anti-forensic checks before altering its own file creation timestamp to match the creation time of the Windows System directory. Subsequently, it injects the main payload into the memory of a suspended process associated with "dllhost.exe" using a technique referred to as process hollowing. In doing so, the malware runs under the guise of a legitimate Windows process to fly under the radar and avoid leaving additional artifacts on disk.  Also put to use in the attacks is a custom version of Mimikatz known as Getpass that escalates privileges and attempts to extract plaintext passwords, NTLM hashes and authentication data directly from the "lsass.exe" process memory. "The threat actor behind the cluster demonstrated operational patience and security awareness," Unit 42 concluded. "They maintained dormant access for months while focusing on precision intelligence collection and implementing robust operational security measures to ensure campaign longevity." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, china, Credential Theft, cyber espionage, cybersecurity, Malware, Military Security, Palo Alto Networks, powershell, Threat Intelligence Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths