Unit 42 Unmasks CL-STA-1087’s Years-Long Cyber Espionage Against Asian Militaries
Ddos 
Security researchers at Unit 42 have pulled back the curtain on a sophisticated espionage cluster they’ve dubbed CL-STA-1087. This state-sponsored actor, suspected with moderate confidence to be operating out of China, has spent years meticulously infiltrating military organizations across Southeast Asia.
What makes this campaign stand out isn’t just its scale, but its “strategic operational patience”. This is a group that doesn’t just steal data—it hunts for specific intelligence.
Tracing back to at least 2020, CL-STA-1087 has maintained a persistent presence in high-value networks. Unlike typical cybercriminals, these attackers avoid bulk data theft in favor of highly targeted collection.
As the Unit 42 report details: “The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces.” This objective-oriented approach suggests a high-level espionage mission focused on “command, control, communications, computers and intelligence (C4I) systems”.
The investigation began when Cortex XDR agents detected suspicious PowerShell activity on networks where the attackers had already established a foothold. To maintain their grip, the actors deployed a suite of custom-developed tools:
- AppleChris Backdoor: A flexible backdoor that uses “custom HTTP verbs” (like POT and PUT) and a “dead drop resolver” (DDR) technique to hide its command-and-control (C2) traffic.
- MemFun Backdoor: A multi-stage, in-memory platform that employs “anti-forensic checks” and “process hollowing” to run malicious code under the guise of legitimate Windows processes.
- Getpass Harvester: A custom version of the well-known Mimikatz tool, modified to automatically log plaintext passwords and NTLM hashes while masquerading as a legitimate security database.
Some variants use timestomping to make malicious files appear as old as legitimate system files, while others use sleep timers of up to 120 seconds to outlast automated security sandboxes.
The report provides compelling evidence linking CL-STA-1087 to the Chinese nexus. Beyond using China-based cloud infrastructure and Simplified Chinese on C2 login pages, the attackers’ own “hands-on-keyboard” activity told a story.
According to the researchers: “The data revealed that malicious activities consistently occurred during business hours, specifically aligning with a UTC+8 time zone schedule.” This temporal pattern, matching typical office hours in China, further reinforces the assessment of state-sponsored activity.
After establishing persistence on unmanaged endpoints, the environment would appear dormant for months. “We assess that the attackers deliberately maintained their foothold in the environment, waiting for an opportune moment to resume their operations,” the report explains. By moving laterally to domain controllers, web servers, and executive-level assets, the group ensured they had access to the most sensitive corners of the network whenever they chose to wake up.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
