{
	"id": "71062681-c032-43fd-842a-6a1547be1692",
	"created_at": "2026-04-06T00:12:08.522626Z",
	"updated_at": "2026-04-10T03:36:45.574682Z",
	"deleted_at": null,
	"sha1_hash": "8174cb9faa2ed91a2cdb6f90ce8a56caa04fed97",
	"title": "Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1063247,
	"plain_text": "Suspected China-Based Espionage Operation Against Military\r\nTargets in Southeast Asia\r\nBy Lior Rochberger, Yoav Zemah\r\nPublished: 2026-03-12 · Archived: 2026-04-05 17:48:29 UTC\r\nExecutive Summary\r\nWe identified a cluster of malicious activity targeting Southeast Asian military organizations, suspected with\r\nmoderate confidence to be operating out of China. We designate this cluster as CL-STA-1087, with STA\r\nrepresenting our assessment that the activity is conducted by state-sponsored actors. We traced this activity back to\r\nat least 2020.\r\nThe activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection,\r\nrather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific\r\nfiles concerning military capabilities, organizational structures and collaborative efforts with Western armed\r\nforces.\r\nThe objective-oriented tool set used in the malicious activity includes several newly discovered assets: the\r\nAppleChris and MemFun backdoors, and a custom Getpass credential harvester.\r\nThis persistent espionage campaign against regional military entities is characterized by the deployment of\r\ncustom-developed tools and highly stable operational infrastructure. We share our analysis of the attackers’\r\nmethods and tools to help defenders detect and protect against these advanced attacks.\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts and services:\r\nAdvanced URL Filtering and Advanced DNS Security\r\nAdvanced WildFire\r\nCortex XDR and XSIAM\r\nCortex Cloud\r\nCortex Cloud Identity Security\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nPlaying the Long Game\r\nThe investigation began after Cortex XDR agents, newly deployed across the environment, detected suspicious\r\nPowerShell activity indicating an existing compromise. The detection revealed an ongoing attack targeting\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 1 of 15\n\nmultiple endpoints within the network. Attackers established persistence on an unmanaged endpoint that they used\r\nto execute malicious PowerShell scripts remotely across selected systems. The script content is shown in Figure 1.\r\nFigure 1. The decoded PowerShell script that was passed as a command-line argument.\r\nThe PowerShell scripts were designed to sleep for six hours (21,600 seconds) and then create reverse shells to one\r\nof four command and control (C2) servers:\r\n154.39.142[.]177\r\n154.39.137[.]203\r\n8.212.169[.]27\r\n109.248.24[.]177\r\nOur analysis of the timeline and script deployment patterns indicated that this was part of an established intrusion\r\nalready in progress. The initial infection vector remains undetermined. Following the identification of the\r\npersistence mechanism, the environment appeared to be dormant for several months, with no observable malicious\r\nactivity. We assess that the attackers deliberately maintained their foothold in the environment, waiting for an\r\nopportune moment to resume their operations.\r\nReturning to the Network\r\nWhen the attackers renewed active operations from the unmanaged endpoint, multiple security alerts were\r\ntriggered, as Figure 2 shows.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 2 of 15\n\nFigure 2. Alerts triggered by CL-STA-1087 activity, as seen in Cortex XDR.\r\nThe alerts indicated the deployment of several malicious tools and suspicious activity across the compromised\r\nenvironment including outbound C2 communications, lateral movement and persistence.\r\nSpreading Across the Network\r\nThe renewed campaign began with attackers delivering an initial backdoor payload from the unmanaged endpoint\r\nto a server in the environment. We named this backdoor AppleChris, after the 0XFEXYCDAPPLE05CHRIS\r\nmutex that forms part of the malware infection chain. From this initial foothold, the attackers orchestrated a\r\nsystematic spread across the network. They used a combination of Windows Management Instrumentation (WMI)\r\nand native Windows .NET commands to deploy malware to additional endpoints, as Figure 3 shows.\r\nFigure 3. AppleChris causality chain.\r\nThe attackers targeted critical network infrastructure components:\r\nDomain controllers\r\nWeb servers\r\nIT workstations\r\nExecutive-level assets\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 3 of 15\n\nTo establish persistence, the attackers created a new service to facilitate payload execution. They also carried out\r\nDLL hijacking by storing a malicious DLL in the system32 folder and registering it to be loaded by an existing\r\nshadow copy service.\r\nWhile the core of the AppleChris malware remained consistent throughout the campaign, the attackers deployed\r\ndifferent variants across target endpoints. This approach was likely taken to maintain persistence across diverse\r\nsystem configurations and to evade detection by varying their operational signatures. The list of variants observed\r\nand analyzed is available in the New and Undocumented Tools section.\r\nStrategic Intelligence Collection\r\nAfter moving laterally through the network and establishing persistence, the attackers began to collect data. We\r\nobserved highly selective searches for sensitive files related to:\r\nOfficial meeting records\r\nJoint military activities\r\nDetailed assessments of operational capabilities\r\nThe attackers showed particular interest in files related to military organizational structures and strategy, including\r\ncommand, control, communications, computers and intelligence (C4I) systems.\r\nNew and Undocumented Tools\r\nDuring our investigation, we identified two different backdoors deployed by the attackers: AppleChris and\r\nMemFun. The backdoors differ in functionality and capabilities but share a common pattern: Both use custom\r\nHTTP verbs and the dead drop resolver (DDR) technique to access a shared Pastebin account. Figure 4 shows that\r\nboth backdoors use the same Pastebin repository to resolve their respective C2 addresses.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 4 of 15\n\nFigure 4. The different types of malware that use the same DDR technique.\r\nAppleChris Backdoor\r\nOur analysis revealed multiple variants of the AppleChris backdoor. We recovered different types of Portable\r\nExecutable (PE) files and categorized them into two primary variants, based on their functionality and compilation\r\ntimestamp. The variants share similar core backdoor functionality but differ in their DDR implementation\r\nstrategies:\r\nDropbox variant\r\nThe initial iteration represents the earlier development phase, with the filename swrpv.sys\r\nThe Dropbox variant implements a dual DDR approach:\r\nUsing an attacker-controlled Dropbox account as the primary DDR source\r\nFalling back to a Pastebin-based DDR as a secondary option\r\nTunneler variant\r\nThe more recent variant with expanded capabilities, using the following names:\r\nswrpv.sys\r\nupdate.exe\r\nGoogleupdate.exe\r\nThe Tunneler variant represents a streamlined evolution that consolidates to a single Pastebin-based\r\nDDR, while introducing advanced network proxy capabilities\r\nAt the time of our investigation, both variants were still in use. A detailed comparison table of notable features of\r\nboth variants is available in Appendix A.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 5 of 15\n\nThe following analysis focuses on the more recent Tunneler variant and demonstrates the full spectrum of\r\nAppleChris capabilities.\r\nInitial Execution and Evasion\r\nAppleChris enables flexible deployment through multiple PE variants. While some variants operate as standalone\r\nexecutables, others are deployed as DLLs, using various persistence techniques.\r\nIn several observed instances, the attackers performed DLL hijacking by placing the malicious swprv32.sys\r\nAppleChris DLL in the system32 directory. Subsequently, they established persistence by registering the malicious\r\nDLL as a component of the Volume Shadow Copy Service. This allowed the malware to leverage elevated\r\nprivileges while masquerading as a legitimate Windows process to evade detection.\r\nTo bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime.\r\nThese variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL),\r\neffectively outlasting the typical monitoring windows of automated sandboxes. Single-instance execution is\r\nenforced via the 0XFEXYCDAPPLE05CHRIS mutex, which causes the process to terminate if another instance is\r\ndetected.\r\nC2 Resolution Using DDR\r\nAppleChris employs a DDR technique to dynamically resolve its C2 server IP address. This approach effectively\r\nevades static block lists and hard-coded indicators-of-compromise (IoC) detection. It also provides operational\r\nflexibility, allowing threat actors to modify C2 infrastructure without redeploying malware.\r\nThe backdoor accesses a specific Pastebin URL to retrieve the encrypted C2 IP address. The retrieved content\r\nundergoes a two-stage decryption process:\r\nThe raw text is Base64-decoded\r\nThe decoded text is decrypted using an embedded RSA-1024 private key\r\nThis cryptographic approach ensures that even if the Pastebin account is discovered, the actual C2 server\r\ninformation remains protected, as the corresponding private key is embedded within the malware. The alert for\r\nPastebin access is shown in Figure 5.\r\nFigure 5. Alert triggered by suspicious Pastebin access, as seen in Cortex XDR.\r\nAppleChris Main Functionality\r\nFollowing successful C2 resolution, AppleChris enters its primary beaconing loop. To facilitate session\r\nmanagement and command execution, the malware generates a 10-byte random sequence as a unique session\r\nidentifier, which is concatenated with the computer name and hex-encoded MAC address. This registration data is\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 6 of 15\n\nRSA-encrypted and transmitted to the C2 server within the payload of an HTTP GET request, demonstrating a\r\ndual-key architecture that securely shares the session key for subsequent communication.\r\nThe server’s response contains the command payload, which is then decrypted using AES. The 10-byte session ID,\r\npadded with 14 zeros, serves as the key. A hard-coded initialization vector embedded in the binary is also used:\r\n[SessionID (10 bytes)] + [0xFF (14 bytes)]\r\nThe malware implements a comprehensive command dispatcher that interprets single-byte command identifiers to\r\nexecute a wide range of backdoor functionality, including:\r\nDrive enumeration\r\nDirectory listing\r\nFile upload, download and deletion\r\nProcess enumeration\r\nRemote shell execution\r\nSilent process creation\r\nIn addition, the Tunneler variant supports a command to activate the proxy tunneling module.\r\nEach command response utilizes custom HTTP requests as communication parameters (PUT, POT, DPF, UPF,\r\nCPF, LPF) to facilitate command tracking and response handling. An example is shown in Figure 6 below. The\r\nfull list is provided in Appendix B.\r\nFigure 6. An example of the custom HTTP verb used by the malware, as seen in IDA Pro\r\ndecompiler.\r\nMemFun Backdoor\r\nMemFun is multi-stage malware that consists of three components:\r\nInitial loader named GoogleUpdate.exe\r\nIn-memory downloader\r\nFinal payload – a DLL retrieved from the C2 server containing the MemFun export\r\nAfter the initial dropper execution, the entire attack chain operates in memory, employing evasion techniques and\r\nreflective loading. The loader's primary purpose is to establish communication with the C2 server and download\r\nan additional DLL that contains an exported MemFun function. This function is then executed to initiate the main\r\nbackdoor. Since the final payload is retrieved from the C2 server, attackers can deploy different modules based on\r\ntheir objectives, making MemFun a modular malware platform rather than a static backdoor.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 7 of 15\n\nThe MemFun execution chain is illustrated in Figure 7.\r\nFigure 7. MemFun execution chain.\r\nInitial Execution and Anti-Forensic Evasion\r\nThe execution chain begins with the MemFun dropper, which immediately runs anti-forensic checks to avoid\r\ndetection. Upon execution, the dropper performs timestomping. It retrieves the creation timestamp of the\r\nWindows System directory and sets its own file creation timestamp to match it, making the malware appear to be\r\nthe same age as legitimate system files.\r\nRather than writing additional files to disk, the dropper employs process hollowing to inject its payload into\r\nmemory. It launches dllhost.exe in a suspended state and decrypts an embedded shellcode payload using the XOR\r\nkey 0x25. The decrypted shellcode is then injected into the suspended process, which is resumed to execute the\r\nmalicious code. This technique ensures that the malicious code runs under the guise of a legitimate Windows\r\nprocess, while leaving no additional artifacts on disk.\r\nShellcode Bootstrap and Reflective Loading\r\nThe injected shellcode functions as a loader that locates itself in memory and scans to find the embedded MemFun\r\nLoader DLL.\r\nThe shellcode performs reflective DLL loading. Before transferring execution to the MemFun Loader, the\r\nshellcode implements another anti-forensics measure: zeroing the first 4 KB of allocated memory, to erase DOS\r\nand PE headers. This makes the loaded module invisible to memory analysis tools that rely on header signatures.\r\nC2 Discovery and Final Payload Retrieval\r\nThe MemFun in-memory downloader initializes with multiple evasion techniques, including the creation of a\r\nmutex named GOOGLE and anti-debug measures to evade analysis. The downloader performs token\r\nimpersonation to steal and impersonate logged-on user credentials, allowing it to inherit user proxy settings and\r\nbypass network restrictions that might block system-level processes.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 8 of 15\n\nCommunication with the C2 server uses HTTP requests with a custom pattern Q instead of the standard\r\nGET/POST commands, targeting the /DL1 resource to download the final payload. The requests also include\r\ndistinctive headers such as Get: 0 and User-Agent: MyIE.\r\nThe downloader implements session-specific encryption by generating a unique 24-byte Blowfish key for each\r\nexecution. This dynamically generated key is sent to the C2 server via the HTTP Cookie header, allowing the\r\nserver to encrypt the backdoor payload specifically for that execution session. Upon receiving the encrypted\r\nMemFun backdoor from the /DL1 resource, the loader decrypts the payload using its unique session key. It then\r\nperforms reflective loading to execute the backdoor in memory by calling the exported MemFun function.\r\nGetpass, a Custom Modified Mimikatz Variant\r\nIn addition to the two backdoors, our analysis revealed a custom credential-harvesting tool. We have designated\r\nthis tool Getpass, reflecting the internal getpass name utilized by the attackers. Getpass is a custom version of\r\nMimikatz, packaged as a standalone DLL that attempts to masquerade as a legitimate Palo Alto Networks tool\r\nunder the Cyvera directory, as Figure 8 shows.\r\nFigure 8. Getpass execution through AppleChris.\r\nUpon execution, the malware’s vncpass function escalates privileges by acquiring SeDebugPrivilege. It then\r\nsystematically targets 10 specific Windows authentication packages, including MSV, WDigest, Kerberos and\r\nCloudAP. The malware attempts to extract plaintext passwords, NTLM hashes and authentication data directly\r\nfrom the lsass.exe process memory. Unlike standard Mimikatz, which provides an interactive console, this variant\r\nautomatically runs its credential-harvesting routine and logs the stolen data to a file named WinSAT.db, which\r\nmasquerades as a legitimate Windows system database.\r\nThe Attackers' Infrastructure: Persistent, Segmented and Scalable\r\nThe infrastructure behind CL-STA-1087 reveals insights into the entire operation's scope and longevity. File\r\ntimestamps, Pastebin creation dates and malware compilation times all trace back to 2020, indicating a long-running campaign. The timestamps for the Pastebin account creation and the pastes are shown in Figure 9.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 9 of 15\n\nFigure 9. The Pastebin account pastes.\r\nThe presence of multiple C2 IP addresses in the Pastebin pages indicates operational compartmentalization,\r\nallowing the actor to rotate infrastructure based on the target's profile.\r\nOur analysis suggests that the attackers maintained communication with multiple compromised networks over an\r\nextended period, leveraging Pastebin and Dropbox for C2 distribution. Notably, while the AppleChris Dropbox\r\nsamples we encountered appeared to be older than the Tunneler samples, they were still functional and in active\r\nuse at the time of our investigation. Evidence suggests the threat actor behind the activity cluster continues to\r\nupdate their Dropbox account with updated infrastructure files.\r\nConnection to the Chinese Nexus\r\nWe identified multiple indications that this activity was conducted by a threat actor affiliated with the Chinese\r\nnexus.\r\nActivity Time Frame\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 10 of 15\n\nOur analysis of command execution timestamps and interactive session logs revealed the attackers’ operational\r\nschedule. By examining hands-on-keyboard activity originating from both backdoors and the unmanaged endpoint\r\nover multiple weeks, we identified distinct temporal patterns in their operations.\r\nThe data revealed that malicious activities consistently occurred during business hours, specifically aligning with\r\na UTC+8 time zone schedule. As Figure 10 illustrates, the periods of activity align with typical office hours across\r\nseveral Asian regions, including China.\r\nFigure 10. Activity time chart in UTC and UTC+8 times.\r\nVictimology and Motivation\r\nThe threat actor targets military organizations in Southeast Asia. We observed specific searches for military-related information.\r\nInfrastructure and Linguistics\r\nThe attackers used China-based cloud network infrastructure for their C2 servers. We also observed that the login\r\npage of one of the C2 servers was written in Simplified Chinese.\r\nConclusion\r\nThe activity cluster CL-STA-1087 is a suspected espionage campaign operating out of China and targeting\r\nmilitary organizations across Southeast Asia. The threat actor behind the cluster demonstrated operational patience\r\nand security awareness. They maintained dormant access for months while focusing on precision intelligence\r\ncollection and implementing robust operational security measures to ensure campaign longevity.\r\nThe backdoors used in this campaign operate on shared infrastructure and employ evasion methods such as Dead\r\nDrop Resolver. These techniques demonstrate the attackers’ long-term commitment to their objectives and\r\nmeticulous attention to operational security practices that are designed to maintain persistent access.\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 11 of 15\n\nWe encourage security practitioners to leverage the indicators and analysis provided in this article to enhance\r\ndetection capabilities, and to strengthen defensive postures against advanced persistent threats targeting critical\r\nmilitary infrastructure and strategic assets.\r\nPalo Alto Networks Protection and Mitigation\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\nactivity cluster:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the AppleChris and\r\nMemFun samples mentioned in this article as malicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify known network IoCs associated with this\r\nactivity as malicious.\r\nCortex XDR and XSIAM help to prevent the threats described above, by employing the Malware\r\nPrevention Engine. This approach combines several layers of protection, including Advanced WildFire,\r\nBehavioral Threat Protection and the Local Analysis module, designed to prevent both known and\r\nunknown malware from causing harm to endpoints.\r\nThe use of a legitimate cloud service to host C2 infrastructure indicates the potential for the actor behind\r\nCL-STA-1087 to use cloud-native operations. Cortex Cloud customers are better protected through the\r\nproper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment.\r\nDesigned to protect a cloud’s posture and runtime operations against these threats, Cortex Cloud helps\r\ndetect and prevent the malicious operations or configuration alterations or exploitations discussed within\r\nthis article.\r\nCortex Cloud Identity Security encompasses Cloud Infrastructure Entitlement Management (CIEM),\r\nIdentity Security Posture Management (ISPM), Data Access Governance (DAG) as well as Identity Threat\r\nDetection and Response (ITDR) and provides clients with the necessary capabilities to improve their\r\nidentity-related security requirements. Should the operations move into cloud environments, Cortex Cloud\r\ncan help detect misconfigurations and unwanted access to sensitive data. It also conducts real-time analysis\r\nof usage and access patterns. This provides visibility into cloud identities and their permissions.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nSouth Korea: +82.080.467.8774\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 12 of 15\n\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 hashes of the AppleChris tunnel variant:\r\n9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500\r\n5a6ba08efcef32f5f38df544c319d1983adc35f3db64f77fa5b51b44d0e5052c\r\n0e255b4b04f5064ff97da214050da81a823b3d99bce60cdd9ee90d913cc4a952\r\nSHA256 hashes of the AppleChris Dropbox variant:\r\n413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f\r\n2ee667c0ddd4aa341adf8d85b54fbb2fce8cc14aa88967a5cb99babb08a10fae\r\nSHA256 hash of MemFun:\r\nad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad\r\nSHA256 hash of Getpass:\r\nee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f\r\nIPv4 addresses of the C2 servers:\r\n8.212.169[.]27\r\n8.220.135[.]151\r\n8.220.177[.]252\r\n8.220.184[.]177\r\n116.63.177[.]49\r\n118.194.238[.]51\r\n154.39.142[.]177\r\n154.39.137[.]203\r\nAdditional Resources\r\nHijack Execution Flow: DLL – MITRE ATT\u0026CK\r\nIndicator Removal: Timestomp – MITRE ATT\u0026CK\r\nMimikatz – MITRE ATT\u0026CK\r\nProcess Injection: Process Hollowing – MITRE ATT\u0026CK\r\nReflective Code Loading – MITRE ATT\u0026CK\r\nWeb Service: Dead Drop Resolver – MITRE ATT\u0026CK\r\nIt’s All in the Name: How Unit 42 Defines and Tracks Threat Adversaries – Unit 42, Palo Alto Networks\r\nBlowfish Cipher – Wikipedia\r\nAppendix A: Comparison of AppleChris Backdoor Variants\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 13 of 15\n\nTable 1 shows the differences between the two AppleChris variants: Dropbox and Tunnel.\r\nFeature Dropbox Variant Tunnel Variant\r\nUnique\r\nCommands\r\nThree unique commands:\r\n# – Sleep Control: Updates the beacon sleep\r\ninterval dynamically.\r\n( – Kill Process: Terminates processes.\r\n+ – Recent Files Exfil: Steals files from the\r\nRecent Files folder.\r\nOne unique command:\r\n? – Proxy Tunnel: Creates a reverse\r\nTCP tunnel for network pivoting.\r\nDead Drop\r\nResolver\r\n(DDR)\r\nUses Dropbox as the primary DDR, with\r\nPastebin as a fallback and an additional\r\nDropbox access token as a final fallback.\r\nRelies solely on Pastebin.\r\nAnti-Debugging\r\nContains an anti-debugging mechanism. Relies on a long sleep (30-120s).\r\nNetwork Spam\r\n(Decoy)\r\nSpawns a background thread to generate fake\r\ntraffic to support.microsoft[.]com every 30\r\nseconds.\r\nDoes not generate decoy traffic.\r\nPrivilege and\r\nProxy\r\nHandling\r\nSteals the active user's access token to\r\nimpersonate the user.\r\nCaptures the user's specific proxy\r\nconfiguration.\r\nRuns in the existing context without\r\nactive token or proxy manipulation.\r\nMutex Does not create a mutex.\r\nCreates the hard-coded\r\n0XFEXYCDAPPLE05CHRIS mutex.\r\nTable 1. Comparison table between AppleChris variants.\r\nAppendix B: AppleChris Commands\r\nTable 2 lists the AppleChris commands shared by the Dropbox and Tunnel variants.\r\nSymbol Name Description\r\nCustom\r\nHTTP\r\nVerb\r\n[ Get Drive\r\nInfo\r\nSurveys the target's storage environment to identify all connected\r\ndrives (local, removable or optical) and calculates their available\r\nPUT\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 14 of 15\n\ndisk space.\r\n$\r\nList\r\nDirectory\r\nEnumerates the contents of a specified directory, providing the\r\nattacker with a full list of files and subfolders, along with their last-modified timestamps.POT\r\n%\r\nDownload\r\nFile\r\nRetrieves a payload or file from the C2 server and writes it directly\r\nto the target's disk.\r\nDPF\r\n^\r\nUpload\r\nFile\r\nExfiltrates a specific file from the target's machine to the attacker.\r\nIncludes logic to resume interrupted transfers if the connection is\r\nlost.\r\nUPF\r\n@\r\nExecute\r\nShell\r\nExecutes arbitrary shell commands via cmd.exe and actively\r\nstreams the console output (stdout/stderr) back to the C2 server.\r\nCPF\r\n!\r\nList\r\nProcesses\r\nProvides a simple list of process names and PIDs for all currently\r\nrunning processes.\r\nLPF\r\n*\r\nCreate\r\nProcess\r\nSilently launches an executable or command-line instruction in a\r\nhidden window, preventing the user from seeing any visual\r\ninterface. This command executes blindly without confirming\r\nsuccess to the attacker.\r\nNone\r\n- Delete File\r\nPermanently removes a targeted file from the file system. This\r\ncommand executes blindly without confirming success to the\r\nattacker.\r\nNone\r\nTable 2. AppleChris supported commands.\r\nSource: https://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nhttps://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/"
	],
	"report_names": [
		"espionage-campaign-against-military-targets"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f31c57ad-2bb1-4a0a-a6c9-7675add32b0c",
			"created_at": "2026-03-24T02:00:04.62311Z",
			"updated_at": "2026-04-10T02:00:03.98721Z",
			"deleted_at": null,
			"main_name": "CL-STA-1087",
			"aliases": [],
			"source_name": "MISPGALAXY:CL-STA-1087",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434328,
	"ts_updated_at": 1775792205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8174cb9faa2ed91a2cdb6f90ce8a56caa04fed97.pdf",
		"text": "https://archive.orkl.eu/8174cb9faa2ed91a2cdb6f90ce8a56caa04fed97.txt",
		"img": "https://archive.orkl.eu/8174cb9faa2ed91a2cdb6f90ce8a56caa04fed97.jpg"
	}
}