"The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces. The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, and collaborative military activities."
"Likely ongoing since at least 2020 and attributed to a state-sponsored threat actor tracked as CL-STA-1087, the activity shows a high degree of patience, as the attackers stayed dormant in the compromised environments for months. In at least one instance, CL-STA-1087 had access to an organization's environment for months before resuming its operations."
"The hackers deployed PowerShell scripts designed to create reverse shells to a command-and-control server and used the access to drop the AppleChris backdoor. They relied on WMI and native Windows .NET commands to infect domain controllers, web servers, IT workstations, and executive-level systems, creating new services for persistence and payload execution."
A state-sponsored Chinese threat actor designated CL-STA-1087 has conducted a sustained cyberespionage campaign against Southeast Asian military organizations since 2020. The attackers demonstrate exceptional patience, remaining dormant in compromised environments for months before resuming operations. They deployed custom tools including AppleChris and MemFun backdoors alongside the Getpass credential stealer. The campaign focused on collecting highly specific intelligence regarding military capabilities, organizational structures, and collaborative efforts with Western armed forces. Attackers used PowerShell scripts to establish reverse shells, leveraged WMI and Windows .NET commands for lateral movement across domain controllers and executive systems, and employed DLL hijacking techniques for persistence. The initial infection vector remains unidentified.
#cyberespionage #southeast-asian-military #state-sponsored-threat-actor #custom-malware #lateral-movement
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]