Full Report
A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020. Palo Alto Networks Unit 42 is tracking the threat activity under the moniker CL-STA-1087, where CL refers to cluster, and STA stands for state-backed motivation. "The activity demonstrated strategic operational patience and
Analysis Summary
# Threat Actor: CL-STA-1087
## Attribution & Identity
- **Name/Moniker:** CL-STA-1087 (Unit 42 nomenclature: CL = Cluster, STA = State-backed)
- **Suspected Origin:** China (State-sponsored)
- **Actor Type:** Advanced Persistent Threat (APT) / Cyber Espionage
## Activity Summary
CL-STA-1087 is a highly disciplined espionage group active since at least September 2020. The group is characterized by "strategic operational patience," focusing on the long-term collection of specific intelligence rather than high-volume data theft. Recent activity involves a campaign targeting military entities in Southeast Asia to extract data on strategic capabilities and Western military cooperation.
## Tactics, Techniques & Procedures
- **Staging & Persistence:** Use of DLL Hijacking (T1574.001) to launch backdoors and multi-stage infection chains.
- **Evasion Tactics:**
- **Sandbox Evasion:** Use of sleep timers (30 to 120 seconds) to outlast automated monitoring windows.
- **Anti-Forensics:** Altering malware file creation timestamps (timestomping) to match the Windows System directory.
- **Delayed Execution:** PowerShell scripts programmed to sleep for six hours before initiating C2 contact.
- **Command and Control (C2):**
- **Dead Drop Resolvers (T1102.001):** Utilizing Pastebin and Dropbox to host Base64-encoded C2 addresses.
- **Modular Payloads:** Using in-memory downloaders to fetch secondary DLLs from C2 at runtime to avoid static detection.
- **Lateral Movement:** Deployment of varied AppleChris versions across endpoints to maintain persistent access.
## Targeting
- **Sectors:** Military and Defense.
- **Geography:** Southeast Asia.
- **Victims:** Southeast Asian military organizations; specifically those involved in joint activities or collaboration with Western armed forces.
- **Intelligence Interests:** Military capabilities, organizational structures, Command, Control, Communications, Computers, and Intelligence (C4I) systems, strategy documents, and official meeting records.
## Tools & Infrastructure
- **Malware Families:**
- **AppleChris:** A backdoor used for drive enumeration, file manipulation, and remote shell execution.
- **MemFun:** A modular malware platform and tunneler capable of injecting shellcode and fetching DLLs in-memory.
- **Getpass:** A specialized credential harvesting tool.
- **Infrastructure:**
- **Pastebin:** `pastebin[.]com` (Used as a dead drop resolver for C2 addresses).
- **Dropbox:** `dropbox[.]com` (C2 information extraction).
- **C2:** Actor-controlled servers (addresses decoded from Base64 via Pastebin/Dropbox).
## Implications
CL-STA-1087 represents a significant threat to regional stability in Southeast Asia. Their focus on C4I systems and Western military partnerships suggests the objective is to degrade the strategic advantage of regional militaries and gain insight into international defense alliances. Their "operational patience" indicates a high level of maturity and a likelihood of remaining undetected for years.
## Mitigations
- **Binary Integrity:** Implement strict controls and monitoring for DLL side-loading/hijacking in system directories.
- **Network Monitoring:** Monitor for unauthorized access to Pastebin and Dropbox from sensitive military workstations, particularly involving Base64-encoded traffic.
- **Behavioral Analysis:** Look for long-duration sleep cycles in PowerShell processes and suspicious "timestomping" activities where file metadata matches system folders exactly.
- **Credential Protection:** Deploy robust MFA and monitor for the execution of unauthorized credential harvesting tools like Getpass.