A suspected China-based cyber espionage operation targeted Southeast Asian military organizations and collected specific military files since at least 2020, a technical analysis by Palo Alto Networks Unit 42 said.
KEY FACTS
- Target Southeast Asian military organizations
- Timeline Activity traced to at least 2020 with Pastebin entries from September 2020
- Malware Backdoors AppleChris and MemFun and credential harvester Getpass
- Techniques DLL hijacking, process hollowing, Pastebin dead drop
The intrusion sequence began with suspicious PowerShell execution that entered a sleep state before creating reverse shells to a command and control server. The initial access vector remains unknown.
AppleChris variants were deployed across endpoints to maintain persistence. One variant used Dropbox and Pastebin to retrieve Base64 encoded C2 addresses and used DLL hijacking to load a backdoor capable of file operations and remote shell commands.
MemFun used a multi-stage loader that injects shellcode, runs an in-memory downloader, fetches configuration from Pastebin, and retrieves a DLL at runtime. The DLL is executed via process hollowing in a suspended dllhost.exe process and the dropper alters file timestamps to blend with system files.
The threat actor also used a custom Mimikatz build named Getpass to extract credentials and employed sandbox evasion by delaying execution. The campaign focused on precise intelligence collection of C4I structures and records of joint activities.
WHY IT MATTERS
Targeted collection of command, control, communications, computers, and intelligence files could inform operational planning and partnerships in the region. Modular malware and long dormant access increase the challenge of detection and remediation.