Hackers with ties to China break into military systems in Southeast Asia.

The advanced cyber espionage campaign known as CL-STA-1087 has successfully hacked into military groups all over Southeast Asia. This operation has been going on for a long time and uses custom backdoors and tools to steal credentials to get important military information. Analysts are fairly sure that a threat actor who is aligned with China runs this persistent network.

Instead of stealing a lot of data, the attackers focus on high-value targets like military structures, command and control systems, and data from joint operations. The attackers always work during UTC+8 business hours and use China-based cloud hosting companies for their infrastructure. Researchers haven't officially linked this activity to a specific polyswarm threat group, but there are many signs that it is coming from China.

Getpass, a heavily modified version of the popular Mimikatz tool, is used by the campaign to get plaintext passwords and network authentication hashes. It also uses unique Blowfish encryption keys that are created on the fly for each session. This keeps network traffic very hidden.

It uses a Dead Drop Resolver to safely find its command-and-control infrastructure by getting encoded data from services like Dropbox and Pastebin. The malware then uses a built-in private key to decrypt this data, which makes it hard for defenders to find static network indicators. It actively avoids being found by changing the timestamps on files and hiding its code inside real system processes, like the Windows DLL host. Once connected, AppleChris lets the attackers change files, watch processes that are running, and run commands from afar using custom HTTP requests.