{ "Event": { "analysis": "1", "date": "2026-03-12", "extends_uuid": "", "info": "[Threat Intel] Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia", "protected": false, "publish_timestamp": "1774219613", "published": true, "threat_level_id": "2", "timestamp": "1774219613", "uuid": "ca188b57-8812-4938-b96f-76074be7aab4", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#256f6a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL - T1574.001\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#edf46c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Timestomp - T1070.006\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#5affe5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1021.006\"", "relationship_type": "" }, { "colour": "#5780f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Default Accounts - T1078.001\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#e22a4a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credential API Hooking - T1056.004\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Military\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773716419", "to_ids": false, "type": "link", "uuid": "e0e19c1b-98bc-4724-94da-88884018f67b", "value": "https://unit42.paloaltonetworks.com/espionage-campaign-against-military-targets" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773716419", "to_ids": false, "type": "text", "uuid": "eed2171a-9f5e-48a1-9e02-d2aa283e94ab", "value": "A suspected Chinese state-sponsored espionage campaign targeting Southeast Asian military organizations has been identified, traced back to at least 2020. Designated as CL-STA-1087, the operation demonstrates strategic patience and focused intelligence collection on military capabilities and structures. The attackers deployed custom tools including the AppleChris and MemFun backdoors, and a modified Mimikatz variant called Getpass. The campaign is characterized by the use of dead drop resolvers, custom HTTP verbs, and anti-forensic techniques. Infrastructure analysis reveals long-term persistence and operational compartmentalization. The activity aligns with Chinese working hours and utilizes China-based cloud infrastructure, suggesting a Chinese nexus." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773716419", "to_ids": false, "type": "text", "uuid": "33f8052d-ae1d-4ddd-82cc-433c5414feed", "value": "Name: Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia\nAuthor: AlienVault\nAdversary: CL-STA-1087\nTags: [\"getpass\", \"credential harvesting\", \"espionage\", \"apt\", \"memfun\", \"applechris\"]\nTgtd countries: []\nMlwr families: [\"AppleChris\", \"MemFun\", \"Getpass\"]\nAttack_ids: [\"T1003\", \"T1543.003\", \"T1574.001\", \"T1053\", \"T1070.006\", \"T1112\", \"T1021.006\", \"T1078.001\", \"T1036.004\", \"T1059.001\", \"T1547.001\", \"T1078\", \"T1571\", \"T1055.012\", \"T1027\", \"T1134\", \"T1027.002\", \"T1056.004\", \"T1102.001\"]\nIndustries: [\"Defense\", \"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773716419", "to_ids": false, "type": "threat-actor", "uuid": "bb6b3973-142d-48cd-9739-0b604da243b2", "value": "CL-STA-1087" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194831", "to_ids": true, "type": "ip-dst", "uuid": "5bb3a86c-e998-4610-b4fa-15879c16ad5e", "value": "8.220.184.177", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773716419", "to_ids": false, "type": "vulnerability", "uuid": "9d6d0e71-e1f8-4a59-9be3-2d8abe74f8e6", "value": "CVE-2026-0628" }, { "category": "Payload delivery", "comment": "AppleChris tunnel variant No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194747", "to_ids": true, "type": "sha256", "uuid": "8668412b-e509-4eb4-970d-019fc9f3d8ef", "value": "0e255b4b04f5064ff97da214050da81a823b3d99bce60cdd9ee90d913cc4a952", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AppleChris Dropbox variant No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194747", "to_ids": true, "type": "sha256", "uuid": "56865249-9532-4163-8985-e7931e4d0321", "value": "2ee667c0ddd4aa341adf8d85b54fbb2fce8cc14aa88967a5cb99babb08a10fae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AppleChris tunnel variant No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194749", "to_ids": true, "type": "sha256", "uuid": "ed34d1f9-db60-4e75-96dd-5b0dafd17609", "value": "5a6ba08efcef32f5f38df544c319d1983adc35f3db64f77fa5b51b44d0e5052c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AppleChris tunnel variant No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194750", "to_ids": true, "type": "sha256", "uuid": "e3fc3f3b-ddd0-4f65-a5f8-96b61f77d208", "value": "9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MemFun No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194750", "to_ids": true, "type": "sha256", "uuid": "24a6ced6-d097-47a2-80b5-38026e3f9b8b", "value": "ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Getpass No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194752", "to_ids": true, "type": "sha256", "uuid": "8a88e869-9b4e-43ea-8db1-bc6ccb0982a4", "value": "ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194852", "to_ids": true, "type": "ip-dst", "uuid": "8e1cde33-83e4-404e-89f5-4a81e5deadd4", "value": "109.248.24.177", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194874", "to_ids": true, "type": "ip-dst", "uuid": "dbbf461e-b54a-42b4-ba07-29077815d675", "value": "116.63.177.49", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194895", "to_ids": true, "type": "ip-dst", "uuid": "ea638345-757a-430f-b157-b567ecb0f3f4", "value": "118.194.238.51", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194917", "to_ids": true, "type": "ip-dst", "uuid": "c66be69e-3625-48e0-b74c-8c0710487062", "value": "154.39.137.203", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194939", "to_ids": true, "type": "ip-dst", "uuid": "fbf5a935-78d5-415f-b566-06a3ab9d6d09", "value": "154.39.142.177", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194960", "to_ids": true, "type": "ip-dst", "uuid": "e1347729-607b-4b60-a953-b21223e3091f", "value": "8.212.169.27", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774194982", "to_ids": true, "type": "ip-dst", "uuid": "5d130740-a8be-4233-81c4-a0771a963b3c", "value": "8.220.135.151", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1774195003", "to_ids": true, "type": "ip-dst", "uuid": "7b958c81-8950-40a2-9a5d-b02088e620ab", "value": "8.220.177.252", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774195025", "uuid": "28c284e6-11b4-482e-96ad-68e2f3f5598f", "Attribute": [ { "category": "Payload delivery", "comment": "AppleChris Dropbox variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774195025", "to_ids": true, "type": "md5", "uuid": "bc77958a-1d44-4c4d-b5b5-54d66870d3f3", "value": "ad5ede7d0069959499692ecde0685f10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AppleChris Dropbox variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774194746", "to_ids": true, "type": "sha1", "uuid": "a67f90a2-72e3-4a41-becd-ae14288d85bb", "value": "e178de90d952e2ef81b8979210a28f0661947523", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AppleChris Dropbox variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774194746", "to_ids": true, "type": "sha256", "uuid": "03ef0ccb-a32e-4574-b343-1ae4035872dd", "value": "413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774193442", "to_ids": true, "type": "ssdeep", "uuid": "d10834d2-541b-4e0d-bbf4-d0124c28aef4", "value": "24576:xoXpL8TPleNSEZhHrbXrEtkwkjzW9vcH4Rr3BX:xoZL8TPIXbr/ikW9Uq3BX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774193442", "to_ids": false, "type": "size-in-bytes", "uuid": "c70327bf-d06c-4805-94fb-99d917773e5c", "value": "953856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774193442", "to_ids": true, "type": "vhash", "uuid": "bb34d94e-b2bb-4a62-9254-e04bbd618a85", "value": "195086655d555d15155550d3z12z9b7z31z13z23z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774193442", "to_ids": true, "type": "filename", "uuid": "b3130a23-9a95-4c31-a93c-de6a1becee64", "value": "pt8uf9lg.exe" }, { "category": "Other", "comment": "Checked: 22/03/2026\nLast-scan\t: 21/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774193442", "to_ids": false, "type": "text", "uuid": "d3954c42-fe6e-4893-90dc-e1aa4977d7b3", "value": "AppleChris Dropbox variant\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:44/72\nFirst Submission:2026-03-09T00:41:32.000000+00:00\nLast Submission:2026-03-09T00:41:32.000000+00:00" } ] } ] } }