China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple China-linked espionage operations, but they are not the same incident. One campaign tracked by Palo Alto Networks as CL-STA-1087 targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the AppleChris and MemFun backdoors and a Getpass credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage.
A separate report from Zscaler described a China-nexus intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver PlugX. That attack chain relied on a ZIP archive containing a deceptive .lnk file, which downloaded a malicious CHM file, used hh.exe for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of CVE-2026-25185 in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to FUNNULL infrastructure rather than the China-linked espionage activity described in the relevant reports.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Chinese Espionage Campaign Targets Southeast Asian Militaries With AppleChris and MemFun
A **China-linked cyber espionage campaign** targeted military organizations in Southeast Asia, with Palo Alto Networks Unit 42 tracking the activity as **CL-STA-1087**. The operation reportedly dates back to at least 2020 and focused on **high-value intelligence collection** rather than broad data theft, including files related to military capabilities, organizational structures, official meeting records, and cooperation with Western armed forces. Researchers said the campaign showed the hallmarks of a patient, state-backed intrusion set, including tailored delivery, defense evasion, stable infrastructure, and custom malware used to maintain long-term access. The attackers used backdoors identified as **AppleChris** and **MemFun**, along with a credential harvester called **Getpass**. Unit 42 observed suspicious **PowerShell** activity that slept for six hours before establishing reverse shells to attacker-controlled C2 infrastructure, after which AppleChris variants were deployed across endpoints following lateral movement to preserve persistence and reduce detection. One additional reference briefly mentions **Chinese-nexus operators** pivoting rapidly against regional targets using conflict-themed lures, but the rest of the material is unrelated newsletter, opinion, podcast, or best-practice content rather than reporting on the same espionage operation.
Today
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
6 days ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 weeks ago