Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia

    Friday, March 13, 2026 In: Threat Research Print

    Date: 03/13/2026

    Severity: High

    Summary

    A state-sponsored threat cluster tracked as CL-STA-1087, suspected to be linked to China, has conducted a long-term cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. The attackers focused on collecting sensitive intelligence related to military capabilities, organizational structures, and cooperation with Western armed forces. The operation uses custom tools including the AppleChris and MemFun backdoors and a Getpass credential harvester, supported by stable infrastructure and tailored tactics for persistent intelligence gathering.

    Indicators of Compromise (IOC) List

    IP Address

    8.212.169.27

    8.220.135.151

    8.220.177.252

    8.220.184.177

    116.63.177.49

    118.194.238.51

    154.39.142.177

    154.39.137.203

    Hash

    9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500

    5a6ba08efcef32f5f38df544c319d1983adc35f3db64f77fa5b51b44d0e5052c

    0e255b4b04f5064ff97da214050da81a823b3d99bce60cdd9ee90d913cc4a952

    413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f

    2ee667c0ddd4aa341adf8d85b54fbb2fce8cc14aa88967a5cb99babb08a10fae

    ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad

    ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("8.220.177.252","8.220.135.151","8.212.169.27","154.39.137.203","116.63.177.49","8.220.184.177","154.39.142.177","118.194.238.51") or srcipaddress IN ("8.220.177.252","8.220.135.151","8.212.169.27","154.39.137.203","116.63.177.49","8.220.184.177","154.39.142.177","118.194.238.51")

    Detection Query 2 :

    sha256hash IN ("413daa580db74a38397d09979090b291f916f0bb26a68e7e0b03b4390c1b472f","9e44a460196cc92fa6c6c8a12d74fb73a55955045733719e3966a7b8ced6c500","5a6ba08efcef32f5f38df544c319d1983adc35f3db64f77fa5b51b44d0e5052c","0e255b4b04f5064ff97da214050da81a823b3d99bce60cdd9ee90d913cc4a952","2ee667c0ddd4aa341adf8d85b54fbb2fce8cc14aa88967a5cb99babb08a10fae","ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad","ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f")

    Reference:

    https://unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/


    Tags

    MalwareThreat ActorAPTChinaCyber EspionageDefense Industrial BaseSoutheast AsiaBackdoorCredential Harvesting

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.