Inside a Chinese Espionage Campaign Targeting the Military

Right as the Middle-East uncertainty has put enterprise security teams on edge, with risks associated with cyber warfare, there is news of more chaotic cyber activity – this time, emerging from China.

“We identified a cluster of malicious activity targeting Southeast Asian military organisations, suspected with moderate confidence to be operating out of China,” reads the article by threat researchers Lior Rochberger and Yoav Zemah from Palo Alto Networks’ Unit 42.

These actors conducting state-sponsored activity were found to be ‘playing the long game’ with activity traced back to 2020.

The operation was aimed at “highly targeted intelligence collection” as the threat actors “searched for and collected highly specific files concerning military capabilities, organisational structures and collaborative efforts with Western armed forces.”

Threat actors weaponised new backdoors 

The researchers found new tooling to be deployed by the long-operational APT group – named as CL-STA-1087.

These tools include the AppleChris and MemFun backdoors and a custom Getpass credential harvester.

“The investigation began after Cortex XDR agents, newly deployed across the environment, detected suspicious PowerShell activity indicating an existing compromise. The detection revealed an ongoing attack targeting multiple endpoints within the network,” Yoav and Lior say. 

They had established persistence on an unmanaged end point which they used to run malicious powershell scripts on remotely. 

When the attackers returned after a period of dormant activity, the newly deployed Cortex XDR triggered numerous security alerts.

AppleChris and Memfun

The initial backdoor payload fed from the unmanaged endpoint to a server in the environment was named by researchers as AppleChris. 

The name comes from a unique identifier seen in its code and is deployed to establish and maintain covert access on compromised Windows systems. 

Once inside a network, AppleChris communicates with its command‑and‑control infrastructure using dynamic resolution techniques to evade detection, allowing attackers to remotely execute commands, enumerate files and persistently monitor intelligence. 

This tool highlights the sophistication and long‑term nature of modern state‑sponsored cyber threats focused on strategic data collection rather than broad disruption.

Analysts also discovered several variants of AppleChris. 

Another backdoor which differs in functionality while following a similar pattern was named MemFun.

MemFun is a modular, in‑memory backdoor malware, which has an initial loader (“GoogleUpdate.exe”) that runs anti‑forensic checks and uses reflective DLL loading to avoid leaving artifacts on disk.

It retrieves its main payload from a command‑and‑control server and dynamically executes an exported function to carry out backdoor operations. 

Its modular design lets attackers deploy different components based on mission needs, making it a flexible platform for covert remote access and intelligence collection in targeted networks.

New credential harvester deployed 

Getpass is a custom credential‑harvesting tool identified by Unit 42 as part of a suspected China‑linked espionage campaign targeting military organisations in Southeast Asia.

It is a modified variant of the well‑known Mimikatz utility, repackaged to evade detection and deployed as a DLL under disguised filenames. 

Getpass extracts credentials from memory, including plaintext passwords, NTLM hashes and Windows authentication tokens, particularly from the lsass.exe process. 

Unlike standard Mimikatz, it automates its harvesting routine and logs stolen credentials to files rather than providing an interactive interface.

This enables attackers to move laterally and maintain persistent access across compromised networks.

“Our analysis suggests that the attackers maintained communication with multiple compromised networks over an extended period, leveraging Pastebin and Dropbox for C2 distribution,” Yoav and Lior say.

“Notably, while the AppleChris Dropbox samples we encountered appeared to be older than the Tunneler samples, they were still functional and in active use at the time of our investigation. 

“Evidence suggests the threat actor behind the activity cluster continues to update their Dropbox account with updated infrastructure files.

The Unit 42 report highlights a sophisticated, targeted espionage campaign using AppleChris, MemFun and Getpass to infiltrate military networks. 

These tools demonstrate advanced evasion, in‑memory execution and credential harvesting techniques, emphasising the persistent, state‑linked nature of modern cyber threats and the critical need for robust cybersecurity defences.