Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia
Essential information
- Published
- 16/03/2026 10:24
- Modified
- 16/03/2026 20:28
- Tags
- 2026-03-16 applechris apt credential harvesting espionage getpass memfun
- Related entities
- 1 vulnerabilities (cve), 16 observables, 1 intrusion sets (apt), 13 techniques (mitre), 3 malware, 2 others
Description
A suspected Chinese state-sponsored espionage campaign targeting Southeast Asian military organizations has been identified, traced back to at least 2020. Designated as CL-STA-1087, the operation demonstrates strategic patience and focused intelligence collection on military capabilities and structures. The attackers deployed custom tools including the AppleChris and MemFun backdoors, and a modified Mimikatz variant called Getpass. The campaign is characterized by the use of dead drop resolvers, custom HTTP verbs, and anti-forensic techniques. Infrastructure analysis reveals long-term persistence and operational compartmentalization. The activity aligns with Chinese working hours and utilizes China-based cloud infrastructure, suggesting a Chinese nexus.