Chinese Espionage Campaign Targeting Southeast Asian Military Organizations
Two backdoors, AppleChris and MemFun, have been discovered to be part of a prolonged espionage campaign against military entities in Southeast Asia. This activity, attributed to state-sponsored actors from China, emphasizes strategic intelligence gathering over broad data theft.
The campaign has been active since at least 2020, characterized by persistent access and the meticulous collection of sensitive military documents, including organizational details and joint military operations with Western forces. The attackers exhibited patience by maintaining a dormant foothold for months, waiting for strategic opportunities to exploit their access further.
Main Analysis
Utilizing sophisticated malware, the attackers proficiently spread across compromised networks using methods such as Windows Management Instrumentation (WMI) and PowerShell scripts, which were triggered to establish connection with multiple command and control (C2) servers. Initial infections likely occurred through an untracked vector, with subsequent operations revealing a structured approach to capturing sensitive data—from operational capabilities to strategic military documents. The attackers demonstrated a preference for detailed reconnaissance rather than indiscriminate data hoarding.
Figures included in the analysis illustrate how the attackers implemented their operations. For instance, Figure 1 highlights the PowerShell command line used to execute remote scripts and establish reverse shells to the identified C2 infrastructure (IP addresses: 154.39.142.177, 154.39.137.203, 8.212.169.27, and 109.248.24.177). This indicates the attackers’ reliance on sophisticated tooling balanced with operational security practices.
The adaptation of tools such as the unique AppleChris backdoor reflects a nuanced approach to maintaining covert access while employing obfuscation techniques. This technique involves systematic file searches that target files specifically related to military strategies and collaborations, clearly indicating the attackers’ objective-oriented approach.
Defensive Context
Organizations, particularly in Southeast Asia’s military sector, need to be acutely aware of this persistent threat given its focus on sensitive governmental information. Notably, military networks, which typically house critical national security information, are at heightened risk due to their role in regional and international operations.
Entities engaged with military engagements or collaborations with these Southeast Asian forces must closely monitor network activities and maintain stringent protections against unauthorized access or suspicious activity. This actor’s Chinese nexus makes it necessary for any associated organization to validate their security postures against tailored and sophisticated attack strategies.
Why This Matters
The risk from the CL-STA-1087 cluster emphasizes the need for advanced persistent threat (APT) awareness, particularly given the strategic intelligence focus that directly undermines military readiness and operational security. Historical analysis suggests that militaries or organizations involved in defense collaboration with Southeast Asian nations should prioritize detection mechanisms against this nuanced threat.
Indicators of Compromise (IOCs)
The following notable IOCs are directly associated with the campaign:
-
C2 IP Addresses:
- 154.39.142.177
- 154.39.137.203
- 8.212.169.27
- 109.248.24.177
-
SHA256 Hashes:
- AppleChris Tunnel Variant: 9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500
- MemFun: ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad
The precision and focus of this campaign suggest a well-resourced operation, indicative of state-backed motivations and the need for ongoing vigilance in military and sensitive government sectors.
