Threat Research Center Threat Research Malware Malware Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia 13 min read Related Products Advanced DNS Security Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Lior Rochberger Yoav Zemah Published: March 12, 2026 Categories: Malware Nation-State Cyberattacks Threat Research Share Executive Summary We identified a cluster of malicious activity targeting Southeast Asian military organizations, suspected with moderate confidence to be operating out of China. We designate this cluster as CL-STA-1087 , with STA representing our assessment that the activity is conducted by state-sponsored actors. We traced this activity back to at least 2020. The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces. The objective-oriented tool set used in the malicious activity includes several newly discovered assets: the AppleChris and MemFun backdoors, and a custom Getpass credential harvester. This persistent espionage campaign against regional military entities is characterized by the deployment of custom-developed tools and highly stable operational infrastructure. We share our analysis of the attackers’ methods and tools to help defenders detect and protect against these advanced attacks. Palo Alto Networks customers are better protected from the threats discussed above through the following products and services: Advanced URL Filtering and Advanced DNS Security Advanced WildFire Cortex XDR and XSIAM Cortex Cloud Cortex Cloud Identity Security If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics Advanced Persistent Threat (APT) , CL-STA-1087, Backdoor , C2 , Mimikatz Playing the Long Game The investigation began after Cortex XDR agents, newly deployed across the environment, detected suspicious PowerShell activity indicating an existing compromise. The detection revealed an ongoing attack targeting multiple endpoints within the network. Attackers established persistence on an unmanaged endpoint that they used to execute malicious PowerShell scripts remotely across selected systems. The script content is shown in Figure 1. Figure 1. The decoded PowerShell script that was passed as a command-line argument. The PowerShell scripts were designed to sleep for six hours (21,600 seconds) and then create reverse shells to one of four command and control (C2) servers: 154.39.142[.]177 154.39.137[.]203 8.212.169[.]27 109.248.24[.]177 Our analysis of the timeline and script deployment patterns indicated that this was part of an established intrusion already in progress. The initial infection vector remains undetermined. Following the identification of the persistence mechanism, the environment appeared to be dormant for several months, with no observable malicious activity. We assess that the attackers deliberately maintained their foothold in the environment, waiting for an opportune moment to resume their operations. Returning to the Network When the attackers renewed active operations from the unmanaged endpoint, multiple security alerts were triggered, as Figure 2 shows. Figure 2. Alerts triggered by CL-STA-1087 activity, as seen in Cortex XDR. The alerts indicated the deployment of several malicious tools and suspicious activity across the compromised environment including outbound C2 communications, lateral movement and persistence. Spreading Across the Network The renewed campaign began with attackers delivering an initial backdoor payload from the unmanaged endpoint to a server in the environment. We named this backdoor AppleChris, after the 0XFEXYCDAPPLE05CHRIS mutex that forms part of the malware infection chain. From this initial foothold, the attackers orchestrated a systematic spread across the network. They used a combination of Windows Management Instrumentation (WMI) and native Windows .NET commands to deploy malware to additional endpoints, as Figure 3 shows. Figure 3. AppleChris causality chain. The attackers targeted critical network infrastructure components: Domain controllers Web servers IT workstations Executive-level assets To establish persistence, the attackers created a new service to facilitate payload execution. They also carried out DLL hijacking by storing a malicious DLL in the system32 folder and registering it to be loaded by an existing shadow copy service. While the core of the AppleChris malware remained consistent throughout the campaign, the attackers deployed different variants across target endpoints. This approach was likely taken to maintain persistence across diverse system configurations and to evade detection by varying their operational signatures. The list of variants observed and analyzed is available in the New and Undocumented Tools section. Strategic Intelligence Collection After moving laterally through the network and establishing persistence, the attackers began to collect data. We observed highly selective searches for sensitive files related to: Official meeting records Joint military activities Detailed assessments of operational capabilities The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers and intelligence (C4I) systems. New and Undocumented Tools During our investigation, we identified two different backdoors deployed by the attackers: AppleChris and MemFun. The backdoors differ in functionality and capabilities but share a common pattern: Both use custom HTTP verbs and the dead drop resolver (DDR) technique to access a shared Pastebin account. Figure 4 shows that both backdoors use the same Pastebin repository to resolve their respective C2 addresses. Figure 4. The different types of malware that use the same DDR technique. AppleChris Backdoor Our analysis revealed multiple variants of the AppleChris backdoor. We recovered different types of Portable Executable (PE) files and categorized them into two primary variants, based on their functionality and compilation timestamp. The variants share similar core backdoor functionality but differ in their DDR implementation strategies: Dropbox variant The initial iteration represents the earlier development phase, with the filename swrpv.sys The Dropbox variant implements a dual DDR approach: Using an attacker-controlled Dropbox account as the primary DDR source Falling back to a Pastebin-based DDR as a secondary option Tunneler variant The more recent variant with expanded capabilities, using the following names: swrpv.sys update.exe Googleupdate.exe The Tunneler variant represents a streamlined evolution that consolidates to a single Pastebin-based DDR, while introducing advanced network proxy capabilities At the time of our investigation, both variants were still in use. A detailed comparison table of notable features of both variants is available in Appendix A . The following analysis focuses on the more recent Tunneler variant and demonstrates the full spectrum of AppleChris capabilities. Initial Execution and Evasion AppleChris enables flexible deployment through multiple PE variants. While some variants operate as standalone executables, others are deployed as DLLs, using various persistence techniques. In several observed instances, the attackers performed DLL hijacking by placing the malicious swprv32.sys AppleChris DLL in the system32 directory. Subsequently, they established persistence by registering the malicious DLL as a component of the Volume Shadow Copy Service. This allowed the malware to leverage elevated privileges while masquerading as a legitimate Windows process to evade detection. To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes. Single-instance execution is enforced via the 0XFEXYCDAPPLE05CHRIS mutex, which causes the process to terminate if another instance is detected. C2 Resolution Using DDR AppleChris employs a DDR technique to dynamically resolve its C2 server IP address. This approach effectively evades static block lists and hard-coded indicators-of-compromise (IoC) detection. It also provides operational flexibility, allowing threat actors to modify C2 infrastructure without redeploying malware. The backdoor accesses a specific Pastebin URL to retrieve the encrypted C2 IP address. The retrieved content undergoes a two-stage decryption process: The raw text is Base64-decoded The decoded text is decrypted using an embedded RSA-1024 private key This cryptographic approach ensures that even if the Pastebin account is discovered, the actual C2 server information remains protected, as the corresponding private key is embedded within the malware. The alert for Pastebin access is shown in Figure 5. Figure 5. Alert triggered by suspicious Pastebin access, as seen in Cortex XDR. AppleChris Main Functionality Following successful C2 resolution, AppleChris enters its primary beaconing loop. To facilitate session management and command execution, the malware generates a 10-byte random sequence as a unique session identifier, which is concatenated with the computer name and hex-encoded MAC address. This registration data is RSA-encrypted and transmitted to the C2 server within the payload of an HTTP GET request, demonstrating a dual-key architecture that securely shares the session key for subsequent communication. The s