China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years

Zerowl

March 17, 2026

China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years

There are more details about suspected Chinese-linked actors who quietly set up long-term access to the networks of military groups in Southeast Asia. Palo Alto Networks' Unit 42 incident response team wrote in a threat report last week that they had found a large cyberespionage campaign that they were moderately sure was being run by Chinese state-sponsored actors. This came right after they found a similar campaign that had been going on for years and was targeting important sectors in the region.

Unit 42 calls the threat activity CL-STA-1087. It was first found when Palo Alto Networks' Cortex XDR platform's new agents saw strange PowerShell activity on a victim's network. Unit 42 researchers found that the threat activity had been going on since at least 2020.

The researchers found new backdoor malware and a custom Getpass credential stealing tool, but they don't know how the attackers got into the organization in the first place. Rochberger says that Palo Alto Networks has seen more and more legitimate services being used for C2 infrastructure. "That trend has sped up with the rise of AI tools and cloud services that make it easy to get access without revealing your identity."

Related: LatAm is now getting twice as many cyberattacks as the US. Rochberger says that organizations should be more careful about how their networks connect to well-known services like Dropbox and Pastebin because abuse is on the rise. "If your company doesn't officially use or approve certain content hosting or storage services, we strongly suggest limiting access," she says.

"At the very least, businesses should set up strong monitoring and alerting for any strange traffic to these platforms. The truth is that threat actors pick these services on purpose because they look like normal internet traffic and security teams often miss them." Palo Alto Networks also released indicators of compromise (IOCs) for CL-STA-1087.

These included the SHA256 hashes of AppleChris variants and MemFun backdoors, as well as the IP addresses of the C2 servers.

China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs