Getpass
Getpass is a custom credential-harvesting malware tool and modified Mimikatz variant used in the CL-STA-1087 cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. Reporting assesses the broader operation with moderate confidence as China-aligned or China-nexus, though no specific threat group is publicly named. Getpass was used alongside the AppleChris and MemFun backdoors to support long-term intelligence collection operations focused on military capabilities, organizational structures, C4I systems, and cooperation with Western armed forces.
Based on the reporting, Getpass is a custom Mimikatz DLL or variant that accesses lsass.exe memory to extract plaintext passwords, NTLM hashes, authentication tokens, and other authentication data. It targets multiple Windows authentication packages; one report states it harvested credentials from 10 packages, and another specifically mentions packages including MSV, WDigest, Kerberos, and CloudAP. The malware is also described as escalating privileges before attempting credential extraction. Stolen credential material was written to a file named WinSAT.db to resemble a legitimate Windows system database. One account states the tool masqueraded as a Palo Alto tool, and another notes it operated under the Cyvera directory.
High-confidence associations in the source material tie Getpass to the CL-STA-1087 intrusion set documented by Palo Alto Networks Unit 42. The campaign used persistence, dormant periods, lateral movement via WMI and native Windows .NET commands, and deployment across domain controllers, web servers, IT workstations, and executive systems. While those behaviors describe the broader campaign rather than Getpass specifically, Getpass’s role within it was credential theft to facilitate access and intelligence collection.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Attackers also used Getpass, a custom Mimikatz DLL, masquerading as a Palo Alto tool, which automatically harvests credentials from 10 Windows authentication packages by accessing lsass.exe memory.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Credential Access
3 techniques
Credential Access
Also put to use in the attacks is a custom version of Mimikatz known as Getpass that escalates privileges and attempts to extract plaintext passwords, NTLM hashes and authentication data directly from the "lsass.exe" process memory.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modified Mimikatz-based credential theft tool that automatically extracts plaintext passwords, NTLM hashes, and authentication tokens from lsass.exe and stores the stolen data in a file named WinSAT.db to resemble a legitimate Windows file.
Custom Mimikatz variant used for credential harvesting. It extracts plaintext credentials, NTLM hashes, and authentication data from LSASS and stores the results in a file named WinSAT.db to resemble a legitimate Windows database.
A custom Mimikatz-based credential harvester used to dump credentials from lsass.exe memory across multiple Windows authentication packages. Stolen data is logged to WinSAT.db.
A customized credential stealing tool used in the same espionage campaign to collect credentials from targeted military organizations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.