AppleChris
AppleChris is a custom Windows backdoor used in the CL-STA-1087 cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. Reporting assesses the broader activity with moderate confidence as China-aligned or China-nexus, although no specific threat group is publicly named. AppleChris was identified as a primary backdoor in the operation and was deployed in multiple Portable Executable variants, including an older Dropbox-based variant and a newer "Tunneler" variant.
AppleChris used a dead drop resolver technique to dynamically obtain command-and-control infrastructure from a shared Pastebin repository and, in earlier variants, from Dropbox. The malware retrieved encrypted C2 data, Base64-decoded it, and decrypted it using an embedded RSA-1024 private key. Some reporting also notes that AppleChris generated host-linked session identifiers and used AES to decrypt command payloads. Command-and-control communications used custom HTTP verbs.
Documented capabilities include drive and directory enumeration, file upload and download, file deletion, process enumeration, remote shell execution, silent process creation, and in some variants proxy tunneling. AppleChris was also associated with delayed execution and sandbox evasion, including sleep timers, and was deployed via DLL hijacking in some cases, including use of a malicious DLL placed in the system32 directory. Persistence in the broader campaign included creation of new Windows services.
Within CL-STA-1087, AppleChris was spread laterally using WMI and native Windows .NET commands and was deployed to domain controllers, web servers, IT workstations, and executive systems. The campaign focused on selective intelligence collection related to military capabilities, organizational structures, C4I systems, joint military activities, and collaboration with Western armed forces. Related tooling in the same operation included the MemFun backdoor and the Getpass credential harvester. A reported mutex associated with the infection chain was 0XFEXYCDAPPLE05CHRIS.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CL-STA-1087 has targeted Southeast Asian military organizations since at least 2020, using AppleChris and MemFun malware.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
5 techniques
Execution
They used Windows Management Instrumentation (WMI) and native Windows .NET commands to spread malware to domain controllers, web servers, IT workstations, and executive systems
The campaign first came to light when endpoint security tools flagged suspicious PowerShell activity on an unmanaged endpoint within a targeted military network. | the attackers had already established a foothold, running delayed execution scripts that connected back to multiple command-and-control (C2) servers.
AppleChris initiates contact with the C2 server to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
According to the researchers, AppleChris evolved from the Dropbox variant into the more capable Tunneler variant, employing DLL hijacking, sandbox evasion, and delayed execution to evade detection.
Discovery
7 techniques
Discovery
the malware generates a 10-byte random sequence as a unique session identifier, which is concatenated with the computer name and hex-encoded MAC address.
the malware generates a 10-byte random sequence as a unique session identifier, which is concatenated with the computer name and hex-encoded MAC address.
AppleChris supports a range of capabilities including file operations, process enumeration, and remote shell execution, with communication conducted through custom HTTP verbs.
AppleChris initiates contact with the C2 server to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation.
AppleChris supports a range of capabilities including file operations, process enumeration, and remote shell execution, with communication conducted through custom HTTP verbs.
Lateral Movement
2 techniques
Lateral Movement
Collection
2 techniques
Collection
Command and Control
8 techniques
Command and Control
running delayed execution scripts that connected back to multiple command-and-control (C2) servers.
They deployed two backdoors, AppleChris and MemFun, both using custom HTTP verbs and a dead drop resolver (DDR) via Pastebin to dynamically reach C2 servers.
In addition, the Tunneler variant supports a command to activate the proxy tunneling module.
The primary backdoor, AppleChris, was deployed in multiple Portable Executable (PE) variants. These samples utilized a Dead Drop Resolver (DDR) technique to dynamically retrieve C2 infrastructure from Pastebin and, in earlier variants, Dropbox.
AppleChris, the primary backdoor, retrieved its C2 server addresses dynamically from Pastebin, and earlier versions also used Dropbox. This approach, known as a Dead Drop Resolver (DDR) technique
It resolves C2 addresses through encrypted Pastebin content, generates unique session IDs tied to host info, and executes commands for file access, remote shells, process control, and proxy tunneling, maintaining stealth and operational flexibility across the network.
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom primary backdoor used for long-term espionage. It retrieves C2 addresses dynamically from Pastebin and earlier Dropbox using a dead drop resolver technique, decrypts connection data at runtime, and supports file operations, process enumeration, and remote shell execution via custom HTTP verbs.
Custom backdoor used in a Southeast Asia-focused espionage campaign. It retrieves C2 infrastructure via Dead Drop Resolver techniques using Pastebin and Dropbox, decodes and decrypts the data, and supports file operations, process enumeration, and remote shell execution over custom HTTP verbs.
A backdoor used in a long-term espionage campaign against Southeast Asian military organizations. It was spread via WMI and .NET commands, used DLL hijacking, sandbox evasion, delayed execution, and resolved C2 addresses through encrypted Pastebin content. It supports file access, remote shells, process control, and proxy tunneling.
A novel backdoor used in the CL-STA-1087 cyberespionage campaign against Southeast Asian military organizations. It uses dead-drop resolvers via legitimate services such as Pastebin and Dropbox, includes a two-stage decryption process to obtain C2 information, and employs evasion techniques such as delayed execution and timestomping.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.