← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.332
Executive Summary
A suspected Chinese state-sponsored threat cluster, CL-STA-1087, has conducted targeted espionage operations against Southeast Asian military organizations since at least 2020, focusing on C4I systems and intelligence related to joint Western military collaboration. The actor deploys custom backdoors and a modified credential-harvesting tool while abusing legitimate cloud services (Pastebin, Dropbox) to evade network-level detection. Organizations supporting or allied with affected military partners face secondary exposure risk; the primary business impact is unauthorized access to sensitive strategic and operational military intelligence.
Technical Analysis
CL-STA-1087 deploys two custom backdoors, AppleChris and MemFun, alongside a modified Mimikatz variant targeting LSASS memory (T1003.001 ) for credential extraction.
Initial access likely leverages valid accounts (T1078 ).
Persistence is established via boot/logon autostart mechanisms (T1547 ).
The actor uses process hollowing into legitimate Windows processes lsass.exe and dllhost.exe (T1055.012 , Process Hollowing) to evade endpoint detection. DLL search order hijacking (T1574.001 ) supports payload delivery. Payloads are delivered modularly via ingress tool transfer (T1105 ). C2 communication uses web services (T1102 ) with Dropbox abused for command retrieval (T1102.001 , Dead Drop Resolver) and Pastebin used for staging resolver data (T1583.006 ). The actor employs PowerShell (T1059.001 ), masquerading of process names (T1036.005 ), timestomping (T1070.006 ), indicator removal targeting security tools (T1562.001 ), file and directory discovery (T1083 ), and proxy-based C2 routing (T1090 ). Relevant weaknesses include CWE-494 (Download of Code Without Integrity Check) and CWE-426 (Untrusted Search Path), consistent with the DLL hijacking and modular payload delivery chain. No CVE identifiers are associated with this campaign; exploitation relies on tradecraft and abuse of legitimate tools rather than unpatched software vulnerabilities. Primary technical detail derives from Unit 42 research (Palo Alto Networks).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to CISO and military liaison if any evidence of breach, data exfiltration, or successful lsass.exe compromise detected; engage external DFIR firm if forensic scope exceeds internal team capacity or if systems are classified/sensitive.
Step 1, Immediate: Block outbound connections to Pastebin and Dropbox at the perimeter firewall and proxy for all systems in sensitive network segments, or restrict to explicitly authorized business use cases only.
Containment
NIST 800-61r3 §3.2.3
NIST 800-53 AC-4 (Information Flow Enforcement)
NIST 800-53 SC-7 (Boundary Protection)
CIS 6.6 (Deny or Restrict Unnecessary Inbound/Outbound Network Traffic)
Compensating Control
If proxy unavailable, use Windows Firewall Group Policy to block outbound HTTPS on port 443 to Pastebin (104.21.26.0/24) and Dropbox (162.125.0.0/16) IPs via firewall rules; validate with: netsh advfirewall firewall add rule name='Block-Pastebin' dir=out action=block remoteip=104.21.26.0/24 protocol=tcp remoteport=443. Monitor with: netstat -anob every 60 seconds on critical systems.
Preserve Evidence
Capture firewall/proxy logs 7 days pre-block to establish baseline of legitimate Pastebin/Dropbox usage; export Windows Firewall blocked connection logs (Event ID 5157) to identify which processes attempted blocked destinations after rule deployment; preserve DNS query logs (Event ID 3008 on Windows DNS servers) showing resolver timestamps.
Step 2, Detection: Hunt for process hollowing indicators, audit processes where lsass.exe or dllhost.exe have unusual parent processes, unexpected network connections, or anomalous memory regions using EDR telemetry; also search for LSASS memory access events from non-system processes.
Detection & Analysis
NIST 800-61r3 §3.2.2
NIST 800-53 SI-4 (Information System Monitoring)
NIST 800-53 AU-12 (Audit Generation)
CIS 8.4 (Protect Memory from Unauthorized Access)
Compensating Control
Without EDR: (1) Enable Windows Event Log Auditing: auditpol /set /subcategory:'Process Termination' /success:enable and auditpol /set /subcategory:'SAM' /success:enable. (2) Query Event ID 4688 (Process Creation) and Event ID 10 (ProcessAccess via Sysmon) for lsass.exe parent != wininit.exe, services.exe, winlogon.exe. (3) Use Volatility 3 (free): vol -f memory.dmp windows.handles | grep -E 'lsass|dllhost' to detect unexpected handle references. (4) Monitor for 4656 events (Handle Audit) with ObjectName=*lsass* and AccessReason != SYNCHRONIZE.
Preserve Evidence
Capture memory dump of lsass.exe before any remediation (procdump -accepteula -ma lsass.exe lsass.dmp); preserve Windows Event Log security.evtx, Sysmon operational log (Event ID 10, 3, 8); record running processes with their parents (Get-Process | Select-Object -Property Name, Id, @{Name='ParentProcessId'; Expression={(Get-Process -Id $_.Id).Parent.Id}} > baseline.txt); snapshot LSASS DLL import table (dumpbin /imports C:\Windows\System32\lsass.exe).
Step 3, Detection: Review PowerShell execution logs (Script Block Logging, Module Logging) for encoded commands, unusual download cradles, or references to cloud storage APIs (Dropbox, Pastebin endpoints).
Detection & Analysis
NIST 800-61r3 §3.2.2
NIST 800-53 SI-4 (Information System Monitoring)
NIST 800-53 AU-2 (Audit Events)
CIS 8.4 (Command and Scripting Interpreter Logging)
Compensating Control
Enable GPO: Set-GPO 'PowerShell Logging' with: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging = Enabled. Query Event ID 4104 (Script Block Logging) from Microsoft-Windows-PowerShell/Operational log: Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'pastebin|dropbox|WebClient|DownloadString|Invoke-WebRequest'} | Select-Object TimeCreated, Message. Check for Base64 encoding: decode base64 strings found and inspect for APIs like DropboxAPI, WebClient, HttpClient.
Preserve Evidence
Export Microsoft-Windows-PowerShell/Operational event log (Event ID 4104, 4103, 600); capture command history from %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt on all user profiles; preserve HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging registry hive; snapshot Get-History output if session is still active; log all ShellHistoryCount entries in user registry hives.
Step 4, Assessment: Inventory Windows endpoints in environments with any connection to Southeast Asian government, defense, or military partners; prioritize those with access to C4I, joint exercise planning, or Western military collaboration data.
Preparation
NIST 800-61r3 §3.1 (Preparation Phase)
NIST 800-53 CM-2 (Baseline Configuration)
NIST 800-53 IA-4 (Identifier Management)
CIS 1.1 (Establish and Maintain Detailed Asset Inventory)
Compensating Control
Without CMDB: (1) Query Active Directory for relevant OUs: Get-ADComputer -SearchBase 'OU=Military,OU=Defense' -Filter * | Select-Object Name, IPv4Address, OperatingSystem > inventory.csv. (2) Cross-reference IP geolocation and subnet ownership logs (check DHCP scope assignments). (3) Interview network/data owners to identify systems storing: *C4I*, *exercise*, *joint operation*, *coalition*, *ITAR*, *EAR* data via file share audits (e.g., DIR /S \\server\*C4I* for Windows file servers). (4) Check DNS resolution history for military-related internal domains; query DNS logs for 30-day historical record: Get-DnsServerQueryStatistics.
Preserve Evidence
Preserve current Active Directory snapshot (ntdsutil snapshot create; then backup database files); capture network device configs (router ACLs, VLAN assignments) showing data segment isolation; log current SMB shares and NTFS permissions (Get-SmbShare | Get-SmbShareAccess); record user group memberships for military/sensitive data access; snapshot firewall rule sets and access control lists protecting sensitive subnets.
Step 5, Assessment: Audit DLL load paths for critical executables to identify DLL search order hijacking opportunities (T1574.001); validate integrity of DLLs loaded by high-value processes against known-good baselines.
Detection & Analysis
NIST 800-61r3 §3.2.2; NIST 800-53 SI-7 (Software, Firmware, and Information Integrity)
NIST 800-53 SI-7 (Software, Firmware, and Information Integrity)
NIST 800-53 CM-5 (Access Restrictions for Change)
CIS 2.6 (Ensure Minimal Legitimate DLL Prefetching Occurs)
Compensating Control
Use free Sigcheck (Sysinternals): sigcheck -v C:\Windows\System32\lsass.exe > baseline_lsass.txt to capture DLL load order and hashes. Compare against pristine ISO: mount Windows media and run same command against reference system. Check for unsigned DLLs: Get-Item C:\Windows\System32\*.dll | Where-Object {(Get-AuthenticodeSignature $_.FullName).Status -ne 'Valid'} > unsigned_dlls.txt. Monitor DLL load events via Sysmon Event ID 7 (Image Loaded): wevtutil qe Microsoft-Windows-Sysmon/Operational /f:text /rd:true | findstr 'lsass.exe dllhost.exe' | findstr /I 'image loaded'. Validate DLL hash against NIST NSRL or VirusTotal.
Preserve Evidence
Capture baseline DLL load order pre-and post-patch (Sigcheck snapshots); preserve Windows Event Log Sysmon operational log with Image Load events (Event ID 7); document current DLL search order via registry (HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs); snapshot NTFS file permissions on System32 and SysWOW64 directories; preserve file timestamps (Get-Item -Force C:\Windows\System32\*.dll | Select-Object Name, LastWriteTime, Length > dll_inventory.txt).
Step 6, Communication: If your organization supports or is partnered with affected regional military entities, notify your security leadership and relevant intelligence-sharing partners (ISAC, CISA liaison if applicable) of potential secondary targeting risk.
Post-Incident
NIST 800-61r3 §3.2.6 (Post-Incident Activity — Sharing Information)
NIST 800-53 IR-6 (Incident Reporting)
NIST 800-53 IR-4 (Incident Handling)
CIS 19.1 (Establish and Maintain a Formal Incident Response Process)
Compensating Control
Document findings in incident report following template: [Affected Org Name] | Exposure Window | Indicators Observed | Mitigation Taken | Date Notified | Contact (name/email/phone). Send via secure channels (CISA portal, encrypted email, secure phone line if classified). If no formal ISAC membership, contact CISA directly: cisa.gov/report or call CISA 24/7 operations (1-888-282-0870). Maintain notification audit trail with signed receipts.
Preserve Evidence
Preserve incident report with IOCs (file hashes, C2 IPs, domains, file paths); capture timeline of detection (initial alert timestamp, confirmation steps, assessment completion); document communication log with timestamps and recipients; preserve any indicators or TTPs shared back by intelligence partners; maintain signed acknowledgment of receipt from leadership and external parties.
Step 7, Long-term: Implement application allowlisting on sensitive systems to block unauthorized payload execution; enforce Credential Guard on Windows endpoints to protect LSASS memory from direct access; review and harden cloud service egress policies using a zero-trust outbound traffic model aligned to NIST SP 800-207.
Recovery
NIST 800-61r3 §3.2.5 (Recovery); NIST 800-207 (Zero Trust Architecture)
NIST 800-53 CM-7 (Least Functionality)
NIST 800-53 AC-3 (Access Enforcement)
NIST 800-53 SC-7 (Boundary Protection)
CIS 2.1 (Maintain and Enforce Application Allowlists)
CIS 6.6 (Deny or Restrict Unnecessary Inbound/Outbound Network Traffic)
Compensating Control
(1) Application Allowlisting (free): Windows Defender Application Guard (WDAG) for isolated execution; AppLocker (built-in): Set-AppLockerPolicy -XmlPolicy C:\applock_policy.xml (requires Server 2012 R2+). For legacy systems, use SRP (Software Restriction Policy) via GPO: Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies. (2) Credential Guard (free on Pro/Enterprise): Enable via Registry: reg add HKLM\System\CurrentControlSet\Control\Lsa /v LsaCfgFlags /t REG_DWORD /d 1 or Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. (3) Zero-Trust Egress: Restrict all outbound to explicit allowlist via Windows Firewall with Advanced Security (WFAS); create GPO rules blocking by destination: netsh advfirewall firewall add rule name='Block-All-Outbound' dir=out action=block, then add exceptions: netsh advfirewall firewall add rule name='Allow-DNS' dir=out action=allow remoteport=53 protocol=tcp.
Preserve Evidence
Pre-implementation: baseline current allowed/blocked executables (Get-AppLockerPolicy -Effective > baseline_applocker.xml); capture Credential Guard status (Get-ComputerInfo | Select-Object DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus); log current egress firewall rules (netsh advfirewall firewall show rule dir=out). Post-implementation: capture AppLocker Event Log (Event ID 8004 — policy applied); monitor Credential Guard events (Event ID 5379 — successful initialization); log firewall rule application timestamp and number of blocked connections (netsh advfirewall firewall show rule dir=out | findstr 'Block').
Recovery Guidance
Post-eradication: (1) Re-image all confirmed-compromised systems from clean, verified media; validate restoration against golden baselines. (2) Reset all credentials with administrative access to affected systems and data repositories; force password change for all users in sensitive network segments. (3) Conduct 30-day enhanced monitoring (daily log review, weekly endpoint EDR summary) to detect post-remediation reinfection; maintain incident-related YARA rules and IOCs in detection tooling for 90 days minimum.
Key Forensic Artifacts
Windows Event Log Security (4688 Process Creation, 4656/4663 Handle Audit, 10 Sysmon ProcessAccess, 3 Sysmon Network Connection)
PowerShell Operational/Analytic logs (Event ID 4104 Script Block Logging, 4103 Module Logging, 600 Engine State)
LSASS.exe memory dump and full-disk forensic image of affected systems; registry hives (HKEY_LOCAL_MACHINE\Software, HKEY_CURRENT_USER\Software, Amcache.hve, ShimCache)
Firewall/proxy egress logs with timestamps, source IP, destination, port, and user context; DNS query logs (Event ID 3008 Windows DNS, full DNS packet capture if available)
Dropbox/Pastebin account access logs (if accessible via law enforcement; ISP-level traffic captures showing C2 communication patterns and timing); file system artifacts (MFT, $J journal, thumbnail cache, prefetch files, recent files)
Detection Guidance
Focus detection efforts on four behavioral clusters.
LSASS abuse: Alert on any process other than lsass.exe itself, the Windows Security subsystem, or your approved EDR agent reading LSASS memory (Windows Security Event ID 4656/4663 with object name containing lsass.exe; Sysmon Event ID 10). Process hollowing in dllhost.exe or lsass.exe: Look for instances where the executable image path does not match the expected on-disk binary, or where network connections originate from these processes to external IPs or cloud service domains. Cloud C2 abuse: Monitor DNS queries and HTTP/S connections to pastebin.com, dropbox.com, and dl.dropboxusercontent.com from endpoints that do not have a documented business need; flag high-frequency or scripted access patterns. Specific pattern: PowerShell or cmd.exe initiating connections to these domains should be treated as high-confidence suspicious activity. DLL hijacking: Use Sysmon Event ID 7 (ImageLoad) with unsigned or unexpected DLL loads in the directories of high-value executables; cross-reference against process creation chains. Behavioral IOC summary: process hollowing into lsass.exe or dllhost.exe; PowerShell downloading from Pastebin or Dropbox URLs; LSASS memory reads from non-system processes; DLL loads from writable user directories; persistence entries in Run keys or scheduled tasks pointing to unusual paths. Note: As of publication of the primary Unit 42 research, no file hashes, IPs, or domains for AppleChris or MemFun were publicly disclosed. Operators should consult the Unit 42 research publication directly for any indicators released subsequently.
Indicators of Compromise (3)
Type Value Context Confidence
DOMAIN
pastebin.com
Abused as dead drop resolver for C2 configuration retrieval by CL-STA-1087; legitimate service weaponized, not a malicious domain per se, flag anomalous access patterns from endpoints, not the domain itself
medium
DOMAIN
dropbox.com
Abused for C2 command retrieval (T1102.001); monitor for scripted or high-frequency access from non-user-interactive processes
medium
DOMAIN
dl.dropboxusercontent.com
Dropbox content delivery subdomain used in C2 retrieval chain; monitor alongside dropbox.com
medium
Compliance Framework Mappings
T1070.006
T1071.001
T1078
T1055.012
T1090
T1574.001
+10
AC-2
AC-6
IA-2
IA-5
CM-7
SI-3
+5
MITRE ATT&CK Mapping
T1078
Valid Accounts
defense-evasion
T1090
Proxy
command-and-control
T1547
Boot or Logon Autostart Execution
persistence
T1102
Web Service
command-and-control
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1083
File and Directory Discovery
discovery
T1105
Ingress Tool Transfer
command-and-control
T1102.001
Dead Drop Resolver
command-and-control
T1562.001
Disable or Modify Tools
defense-evasion
Guidance Disclaimer
