Inside CL-STA-1087: China-Linked Hackers Spent Years Inside Southeast Asian Military Networks

A cyberespionage campaign attributed with moderate confidence to Chinese state-sponsored actors operated inside Southeast Asian military networks from at least 2020 through 2025, collecting intelligence on C4I systems, organizational command hierarchies, and joint military operations with Western armed forces. Palo Alto Networks' Unit 42 published its findings on March 12, 2026, exposing the cluster it designates CL-STA-1087 along with three previously undocumented tools purpose-built for long-term, precision access: the AppleChris and MemFun backdoors, and the Getpass credential harvester.

Nation-state espionage reporting often loses texture through repetition. CL-STA-1087 restores it. This is not a threat actor that swept through a target, grabbed whatever was accessible, and left fingerprints everywhere. This is a group that sat inside military networks for years, moved only when necessary, and specifically sought files about joint military exercises with Western nations, C4I command structures, and operational capabilities. The distinction between bulk data theft and precision intelligence collection matters strategically. This campaign is a clear example of the latter — and what makes it technically instructive is that the actors were not relying on zero-days. They exploited the one gap that security teams routinely underestimate: the unmanaged endpoint.

How the Campaign Was Discovered

The intrusion came to light only because of a security upgrade. When newly deployed Cortex XDR agents were rolled out across the target environment, they immediately flagged suspicious PowerShell activity that had been quietly running in the background. The detection revealed an active, ongoing compromise across multiple endpoints. Without that deployment, the activity could have continued indefinitely — and given that the infrastructure traces back to September 2020, it had already run for years before detection.

Unit 42 researchers Lior Rochberger and Yoav Zemah traced the campaign's infrastructure through Pastebin creation dates, file timestamps, and malware compilation times, all pointing back to at least 2020. The attackers had established a persistent foothold on an unmanaged endpoint — a machine without endpoint detection software — and used it to execute malicious PowerShell scripts (T1059.001) remotely across selected systems. The scripts were designed to sleep for exactly 21,600 seconds (six hours) before creating reverse shells to one of four specific C2 servers: 154.39.142[.]177, 154.39.137[.]203, 8.212.169[.]27, and 109.248.24[.]177. The six-hour delay is deliberate — a time-based sandbox evasion technique (T1497.003): standard automated sandboxes run for 60 to 180 seconds, making this timer highly effective at outlasting automated detonation analysis.

After initial access was established, the environment went dormant for several months with no observable malicious activity. Unit 42 assesses this was deliberate — the attackers maintained their foothold and waited for an operationally opportune moment. This pattern of calculated dormancy is one of the defining characteristics of CL-STA-1087 and recurs across multiple phases of the campaign.

Rochberger and Zemah characterized the campaign as one defined by deliberate operational patience and precision targeting. Unit 42's conclusion from the full investigation was that the cluster demonstrated "operational patience and security awareness," maintaining dormant access for months while implementing measures specifically designed to ensure campaign longevity.

The naming convention for the cluster reflects Unit 42's attribution framework. CL stands for cluster — a designation used before formal group attribution. STA signals the team's assessment that the activity is state-sponsored. The initial access vector remains undetermined — a fact worth sitting with. Unit 42 identified the unmanaged endpoint as the earliest observed foothold, but that is not necessarily where the intrusion began. The absence of telemetry on an unmanaged device means investigators cannot rule out a prior compromise that placed the actors there. This ambiguity is not unusual in long-dwell campaigns; by the time detection occurs, the earliest activity often falls outside any log retention window. The group spread through the victim network using Windows Management Instrumentation (T1047) and native .NET commands, landing on domain controllers, web servers, IT workstations, and executive-level assets — a distribution pattern that signals access breadth was a priority alongside data collection.

The Malware: AppleChris, MemFun, and Getpass

Three tools sit at the center of this campaign, all previously undocumented. Each reflects design decisions that prioritize longevity and stealth over speed. Both backdoors share a common architectural pattern — custom HTTP verbs and dead drop resolution through the same Pastebin account — but differ sharply in how they evade detection. Select a tool below to examine it in detail.

Unlike standard Mimikatz, which requires interactive operator input through a console, Getpass runs its credential-harvesting routine automatically without any interface. Stolen credentials are logged to a file named WinSAT.db (T1036.005 — Masquerading: Match Legitimate Name) — chosen to impersonate the legitimate Windows System Assessment Tool database. Additionally, Getpass masquerades its own file identity as a Palo Alto Networks tool (T1036.005 — Masquerading), adding another layer of visual legitimacy to its presence on the filesystem. The output file is staged locally (T1074.001 — Local Data Staging) for later exfiltration rather than sent directly over the network, reducing the risk of real-time detection through traffic analysis.

What the Collected Intelligence Is Worth

The article can describe what was targeted without fully accounting for why it matters. C4I files — covering command, control, communications, computers, and intelligence systems — are among the most operationally sensitive categories of military data that exist. They reveal not just what capabilities a military possesses, but how those capabilities are coordinated under pressure: which commanders authorize what actions, which communication channels carry which traffic, and where the decision-making bottlenecks are.

Joint exercise records are similarly valuable in ways that go beyond the exercises themselves. They reveal which units have rehearsed interoperability with which Western partners, what scenarios were war-gamed, and what gaps were identified. An adversary reading a comprehensive exercise after-action report understands both a military's strengths and the specific weaknesses its own personnel have documented.

Credential material collected by Getpass — NTLM hashes, plaintext passwords, Kerberos tokens — has immediate operational value beyond the current intrusion. NTLM hashes enable pass-the-hash attacks (T1550.002) against other systems on the same domain without requiring plaintext credentials. Kerberos tokens can be used for pass-the-ticket lateral movement (T1550.003) within a Kerberos-authenticated environment. Credentials for personnel with access to classified systems may persist as valid for months if password rotation policies are weak, meaning the exfiltrated data remains actionable long after the campaign itself is exposed.

C2 Infrastructure and Dead Drop Resolvers

One of the more technically distinctive aspects of CL-STA-1087 is how its operators structured their command-and-control infrastructure. Rather than hardcoding a C2 IP address into the malware — which would allow any analyst who obtained a sample to immediately identify and block the server — both AppleChris and MemFun use what Unit 42 calls dead drop resolvers, or DDRs. This is tracked by MITRE as T1102.001.

A DDR works by posting content to a legitimate third-party web service that contains an encoded or encrypted reference to the real C2 address. The malware connects to the legitimate service, retrieves that content, Base64-decodes it, and then decrypts the embedded server address using an RSA-1024 private key stored inside the malware binary itself. RSA-1024 is considered cryptographically weak — NIST SP 800-131A Rev. 2 formally deprecated it in 2019 — a telling operational detail. The actors prioritized stealth and longevity over key strength, suggesting either that re-engineering the cryptographic layer was not a concern, or that these tools were built early in the campaign's life and never substantially updated. Because the initial network traffic goes to a trusted platform like Pastebin, it evades IP-based blocklists entirely. Even if a defender discovers the Pastebin account, the actual C2 IP address remains protected without the decryption key.

CL-STA-1087 used Pastebin as its primary DDR. Some AppleChris Dropbox variants also used a Dropbox account as a primary DDR, with Pastebin as fallback. Unit 42's analysis confirmed that the Pastebin infrastructure associated with this campaign traces back to September 2020 — consistent with the broader campaign start date. The C2 IP addresses are hosted on Chinese cloud network infrastructure. Critically, Unit 42 found evidence that the threat actor continued to update their Dropbox account with refreshed infrastructure files even during the investigation, indicating the infrastructure was actively maintained.

The combination of DDR with custom encryption creates a detection-resistant architecture. Network monitoring that evaluates destination reputation alone — trusting traffic to Pastebin or Dropbox as benign — creates exactly the gap this technique exploits. Detection requires behavioral analysis: correlating the process making the Pastebin request with subsequent outbound connections to unfamiliar IPs. This is the failure mode NIST SP 800-207 (Zero Trust Architecture) exists to address: network location — including a connection to a brand-name trusted service — cannot grant implicit trust. Every request must be evaluated against identity, device state, and behavioral context.

Rochberger and Zemah noted that the group maintained communication with multiple compromised networks across an extended window. Even the older AppleChris Dropbox samples remained functional and in active use at the time of the investigation — a detail that underscores how little urgency the actors felt to rotate their infrastructure and how confident they were in their operational security posture.

MITRE ATT&CK Analysis

Seventeen MITRE ATT&CK techniques map to this campaign. Rather than listing them in isolation, it is more useful to read them as three deliberate strategies — evasion, persistence, and collection — that explain why this campaign ran for five years without triggering detection. The technique codes are precise identifiers, not the story.

Evasion: Designed to Outlast Every Automated Defense

The evasion architecture of CL-STA-1087 is not a collection of opportunistic tricks — it is a layered system where each technique compensates for the detection risk created by another. The PowerShell reverse shell (T1059.001) is obfuscated (T1027) to defeat static analysis, but the operators knew that detonation sandboxes could still catch it dynamically. Their answer was the 21,600-second sleep timer (T1497.003) — six hours of inactivity before the shell activates, calibrated to outlast every automated sandbox that closes after three minutes. AppleChris uses the same principle at the tool level: EXE variants sleep 30 seconds, DLL variants 120 seconds. The timers are not identical across tools because they are tuned to different execution contexts, not copied from a template.

The C2 channel adds another evasion layer. Pastebin and Dropbox connections (T1102.001) evade IP blocklists entirely because the initial traffic goes to trusted domains. Custom HTTP verbs (T1071.001) in the actual C2 stream defeat signature-based traffic inspection looking for standard GET/POST patterns. The Tunneler variant adds proxy routing (T1090) to obscure the true destination even if the channel is inspected. MemFun's loader timestomps its own file metadata to match the Windows System directory creation date (T1070.006), so forensic timeline analysis presents it as a file that has been present since Windows was installed. Each layer addresses the detection vector that would catch the previous one.

Persistence: Hiding in Plain Sight Across the Host

AppleChris's persistence mechanism combines two techniques to make removal both difficult and non-obvious. DLL search order hijacking (T1574.001) places swprv32.sys in System32, and a new Windows service is registered to load it through the legitimate shadow copy service path (T1543.003). The result is a malicious DLL that loads through a legitimate service name, sitting in the directory where Windows stores its own system components. Masquerading (T1036.005) extends this logic across the toolset: MemFun's loader impersonates GoogleUpdate.exe, Getpass's output file impersonates WinSAT.db, and Getpass itself masquerades as a Palo Alto Networks tool. The pattern is consistent — every file in the chain borrows the identity of something a responder would expect to find and leave alone.

MemFun's persistence approach is different in kind: it does not persist at all in the traditional sense. Process hollowing into dllhost.exe (T1055.012) and reflective DLL loading (T1620) mean the payload exists only in memory. There is no file to find, no registry key to remove, no service entry to audit. The trade-off is that MemFun does not survive a reboot — but in an environment with five years of persistent AppleChris access, a reboot is not a problem. AppleChris re-establishes the foothold; MemFun is deployed fresh. The two tools are architecturally complementary.

Collection: Credential Material as the Primary Target

WMI lateral movement (T1047) is how CL-STA-1087 spread from the initial unmanaged endpoint to domain controllers, web servers, and executive-level workstations. WMI is a legitimate Windows management channel — defenders who do not audit it see nothing. The spread pattern was deliberate: domain controllers hold Kerberos ticket-granting infrastructure, executive workstations hold high-value credentials, web servers offer additional network access. Getpass was then deployed through AppleChris to dump lsass.exe memory (T1003.001) across all of these systems, harvesting NTLM hashes usable for pass-the-hash attacks (T1550.002) and Kerberos tokens usable for pass-the-ticket lateral movement (T1550.003). The output was staged to WinSAT.db (T1074.001) before exfiltration — a local staging pattern that avoids the real-time traffic spike of direct credential transmission.

The combined credential harvest gives the actors something more durable than a C2 session: authenticated material that remains valid as long as passwords are not rotated. If the C2 infrastructure goes dark, the credentials do not. If the malware is found and removed, harvested NTLM hashes from six months ago may still open doors. This is why credential invalidation is the first and most time-sensitive response action when these IOCs appear on a network.

Why Southeast Asian Militaries Are the Target

The geographic focus of CL-STA-1087 is not arbitrary. Southeast Asia sits at the intersection of several overlapping intelligence priorities for China-nexus state actors, and understanding that context makes the specific data being sought — C4I systems, joint exercise records, command hierarchies, and partnerships with Western armed forces — considerably more legible.

The South China Sea remains one of the most contested maritime spaces on earth. China has overlapping territorial claims with the Philippines, Vietnam, Malaysia, Brunei, and Taiwan, and has pursued an aggressive island-building and militarization strategy in the region for over a decade. For a state actor seeking to understand how adversaries would respond to escalation, knowing the command structures, communication protocols, and operational capabilities of regional militaries is not background noise — it is directly actionable intelligence.

The specific interest in joint exercises with Western armed forces sharpens this further. Military exercises conducted with the United States, Australia, or other Five Eyes-adjacent partners reveal coordination procedures, interoperability standards, and the degree to which regional nations have integrated Western military doctrine into their own operations. An actor that knows which Southeast Asian military units train with which Western counterparts, and under what protocols, has a meaningful advantage in modeling how a coalition would respond to a contingency in the region.

The targeting of air traffic control organizations — seen in the parallel Billbug campaign documented by Symantec — reflects a separate but related priority: understanding civilian and military airspace management, which has both intelligence and potential disruption value in a conflict scenario. The breadth of targeting across government ministries, telecoms, construction, and media in related campaigns suggests these actors are building comprehensive pictures of national capability, not just military order of battle.

This context also explains why the CL-STA-1087 actors were willing to maintain access for five years without triggering detection through aggressive action. The intelligence value of persistent, quiet access to command structures that evolve slowly over time is far greater than the intelligence value of a single bulk exfiltration. Organizational charts change. Exercises are scheduled months in advance. Personnel rotate. An actor with continuous long-term access watches all of it unfold in real time.

Attribution: Why Researchers Point to China

Unit 42 assigns its attribution with moderate confidence — a specific phrasing worth unpacking. It means the indicators are consistent with Chinese state-sponsored activity but are not definitive enough to name a specific known threat group or formally attribute the activity to the Chinese government. Three independent lines of evidence support the China-nexus assessment.

Analysis of the attackers' hands-on-keyboard activity across multiple weeks revealed an operational schedule consistently aligned with UTC+8 business hours. Activity fell within normal working hours with the regularity of a structured shift, not the erratic pattern of freelance operators working from random time zones. UTC+8 covers China, among other regional nations.

The command-and-control servers use Chinese cloud network infrastructure. A login page for one of the C2 servers contained Simplified Chinese text — an artifact that either reflects genuine origin or an extremely deliberate false flag planted to mislead attribution analysts. The targeting logic reinforces the China-nexus assessment: the actors specifically sought files on joint operations with Western armed forces, C4I command hierarchies, and capability assessments. These are precisely the categories of intelligence most strategically valuable to a state with contested territorial interests in Southeast Asia and documented concern about military coordination between regional nations and Western partners.

The tools themselves are novel. No overlap with previously attributed Chinese threat clusters has been documented, which is why Unit 42 assigned a new cluster designation rather than attributing the activity to an existing group like APT41, APT10, Volt Typhoon, or Salt Typhoon. This absence of documented toolset overlap cuts two ways: it could reflect deliberate operational security — using purpose-built tools to avoid linking this campaign to known groups — or it could indicate the involvement of a team not yet represented in public threat intelligence reporting.

CL-STA-1087 in the Broader China-Nexus Threat Picture

This campaign does not exist in isolation. It lands against a backdrop of sustained, multi-front China-linked cyber activity across Southeast Asia that intensified significantly from 2024 onward. For context on how nation-state actors now combine espionage, financial theft, and insider operations into unified programs, see The Four-Front War: How Nation-States Now Combine Espionage, Theft, Insiders, and Ransomware Into a Single Program.

Symantec's Threat Hunter Team documented a parallel campaign conducted by the group it tracks as Billbug — also known as Lotus Panda, Lotus Blossom, and Bronze Elgin — that ran from August 2024 through at least February 2025. That operation targeted a government ministry, an air traffic control organization, a telecommunications operator, and a construction company inside a single Southeast Asian country. The tools used included PlugX, a remote access trojan with a long history across Chinese APT operations, along with reverse proxies Rakshasa and Stowaway, DLL sideloading techniques, and keyloggers. Stolen data was compressed into password-protected WinRAR archives and exfiltrated to cloud storage including File.io.

A separate Symantec campaign documented in December 2024 targeted government ministries across two countries, an air traffic control organization, a telecoms company, and a media outlet — all within the same regional theater. That activity also featured extended dwell time and a focus on credential harvesting and network mapping rather than immediate destructive effect.

SentinelOne's research, published in June 2025, documented the PurpleHaze and ShadowPad activity clusters spanning more than 70 organizations globally between July 2024 and March 2025. SentinelOne attributed that activity with high confidence to China-nexus actors, with overlaps to groups publicly tracked as APT15 and UNC5174. That campaign included a reconnaissance operation specifically targeting SentinelOne's own infrastructure and a separate intrusion into an IT logistics company that managed hardware for SentinelOne employees — a notable escalation in terms of targeting security vendors directly.

The parallel with other China-nexus campaigns using legitimate cloud services as C2 channels — including the GearDoor backdoor, which routes commands through Google Drive using a similar trust-exploitation approach — illustrates a consistent architectural preference among these actors. Rochberger, speaking to Dark Reading following the CL-STA-1087 publication, described a consistent operational split among China-nexus actors: one category focused on long-term espionage with extended dwell times and deliberate pacing, and a separate category of actors focused on speed — groups that move fast, collect what they find, and often get caught because their activity is comparatively noisy. CL-STA-1087 belongs firmly in the first category. Its defining characteristic is patience — the willingness to sit dormant for months rather than risk detection through premature action.

What Happened After Disclosure

Unit 42 published its findings on March 12, 2026. As of the publication of this article, no formal takedown of CL-STA-1087 infrastructure has been announced, and no law enforcement action against attributed operators has been disclosed. The C2 IP addresses listed in Unit 42's report remain relevant as threat intelligence, though actors of this sophistication typically rotate infrastructure quickly following public exposure.

The Dropbox account used as a secondary DDR was confirmed to still be receiving updates during the investigation itself — indicating the actors were aware of operational security but not, at that point, aware they had been discovered. Following disclosure, that account would be expected to go dark or be replaced. The same applies to the Pastebin accounts used for primary C2 resolution. What does not change is the toolset: AppleChris and MemFun are custom-built and represent significant development investment. They are unlikely to be abandoned — more likely to resurface in future campaigns under different infrastructure, potentially with revised signatures sufficient to evade the detections built from this disclosure.

The broader pattern across China-nexus Southeast Asia operations suggests that disclosure of one cluster does not terminate the underlying collection program. Billbug activity continued for months after related reporting. ShadowPad clusters shifted infrastructure and resumed. The operational objective — understanding the military posture and Western partnerships of Southeast Asian nations — has not been achieved once and retired. It is an ongoing intelligence requirement, and the exposure of CL-STA-1087 is one data point in a much longer timeline.

SIEM Detection Logic

The following detection hypotheses are drawn from the technical indicators published by Unit 42 and translated into SIEM-actionable logic. These are not vendor-specific queries but describe the behavioral conditions to express in your platform of choice. The event sources they rely on — Sysmon, Windows Security log, WMI Activity log — map directly to the audit record generation controls (SP 800-53 Rev. 5 AU-2 and AU-12) that organizations are already required to implement.

Key Takeaways for Defenders

1. Unmanaged endpoints are the entry point: CL-STA-1087 established its initial foothold on a machine without endpoint detection software. In large environments, even a 2% EDR coverage gap can represent hundreds of unmonitored assets. Any device without endpoint visibility is a potential beachhead. NIST SP 800-53 Rev. 5 control CM-8 requires a comprehensive, current system component inventory — the control whose absence created the blind spot this campaign exploited for five years.
2. Traffic to legitimate cloud services is not automatically safe: Pastebin and Dropbox were used as C2 resolution channels. Blanket trust of traffic to brand-name services creates the specific gap this technique exploits. Network monitoring must evaluate behavioral correlation — process identity, connection sequencing, and timing — not just destination reputation.
3. Dormancy is a detection evasion strategy, not inactivity: The attackers maintained foothold for months between active phases. Point-in-time detection sweeps will miss groups that deliberately pace their operations. The framework for building that program is NIST SP 800-137 — continuous behavioral baselines updated near-real-time, not monthly scan reports.
4. The six-hour sleep timer defeats most automated analysis: Standard sandboxes run for 60 to 180 seconds. A PowerShell script designed to sleep for 21,600 seconds before doing anything will appear completely benign in automated detonation. Static analysis of script content — not just execution outcome — is required to catch this evasion.
5. Watch for credential dumping artifacts even without a known malware hit: Getpass writes stolen credentials to WinSAT.db. Monitoring for unexpected instances of that filename outside its legitimate system context is a practical, low-noise detection opportunity specific to this campaign. Do not wait for malware attribution — hunt the artifact.
6. Precision targeting requires precision threat modeling: This campaign specifically sought C4I files and records of joint military exercises with Western nations. Organizations that hold data attractive to nation-state intelligence collection — including defense contractors, government agencies, and regional military partners — need threat models that explicitly account for patient, targeted actors operating on multi-year timelines. Organizations handling Controlled Unclassified Information — including defense contractors and government partners — have a specific baseline obligation: NIST SP 800-171 Rev. 3 defines the security requirements specifically designed to protect the categories of military and government data this campaign targeted.

The exposure of CL-STA-1087 closes one chapter, but campaigns of this type are rarely singular. The infrastructure traced back to 2020. The tools were still functional and in active use when Unit 42 found them. The Dropbox account was still being updated with fresh infrastructure files during the investigation. The question for affected organizations and regional peers is not whether this specific cluster will reappear under the same designation — it is whether the next campaign, operating under a different cluster ID with a different toolset, is already sitting undetected inside a network that has not yet deployed the sensor that would find it.

Hardening Solutions: Beyond the Generic

The standard advice — patch, deploy EDR, segment your network — is accurate but not sufficient against an actor that operated successfully inside military networks for five years using zero zero-days. The specific techniques CL-STA-1087 deployed have specific countermeasures. What follows are the controls that address the actual attack surface, at the implementation level most threat reports skip entirely.

Neutralizing Getpass: Controls That Break Credential Harvesting at the Source

Getpass succeeds because it can acquire SeDebugPrivilege and access lsass.exe memory. Four Windows controls, none requiring third-party tooling, dismantle this attack path independently and in combination.

LSASS Protected Process Light (PPL). Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1 and reboot. This forces lsass.exe to run as a Protected Process, which means even a process with SeDebugPrivilege cannot open a handle to it with the access rights required for memory reading. Getpass, standard Mimikatz, and every derivative that targets lsass.exe will fail with ERROR_ACCESS_DENIED. The attacker can only bypass PPL by loading a kernel-mode driver — requiring either a signed driver (difficult to obtain covertly) or an exploit. The technique of bringing a vulnerable signed driver to abuse kernel access is documented in detail in BYOVD: The Windows Kernel Internals That Let Attackers Kill Your EDR. This is not a configuration most organizations have enabled, and it is not mentioned in most CL-STA-1087 coverage. Verify current state: reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL.

Disable WDigest plaintext credential caching. Getpass targets the WDigest authentication package because it stores credentials in plaintext in lsass.exe memory when enabled. Set HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0. On Windows 8.1 and Server 2012 R2 and later this is the default — but legacy Group Policy or backward-compatibility requirements may have re-enabled it. Audit with: reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential. A value of 1 means WDigest is active and plaintext passwords are harvestable.

Windows Defender Credential Guard. Credential Guard uses Virtualization-Based Security (VBS) to isolate the credential store in a separate hypervisor-protected environment — a Trustlet running in Virtual Secure Mode (VSM). NTLM hashes and Kerberos tickets are held in a context that the normal OS kernel cannot access. Getpass cannot reach what is not in reachable memory. Pass-the-hash (T1550.002) becomes non-viable against Credential Guard-protected accounts because harvestable NTLM hashes no longer exist in accessible memory. Enable via Group Policy: Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security. Requires Secure Boot, UEFI, and a 64-bit processor with virtualization extensions — standard on hardware manufactured after 2015.

Protected Users security group. Place all privileged accounts — domain admins, service accounts with elevated rights, executive-level users — in the Protected Users global security group. Membership automatically enforces: no NTLM authentication (Kerberos only), no WDigest credential caching, no CredSSP delegation, no NTLMv1 or NTLMv2 hashes stored, and Kerberos TGT lifetime reduced to four hours. This specifically prevents T1550.002 (pass-the-hash) against protected accounts even if Getpass successfully harvests hashes from non-protected accounts on the same domain — because those hashes cannot authenticate as Protected Users members.

Blocking AppleChris Persistence: DLL Hijacking Countermeasures

AppleChris achieves persistence by placing swprv32.sys in System32 and registering it under the shadow copy service (T1574.001, T1543.003). The attack exploits two separate weaknesses: permissive write access to System32, and the ability to register arbitrary service DLLs.

System32 write ACL audit. No regular user process or service account should have write access to %SystemRoot%\System32\. Audit the current ACL: icacls %SystemRoot%\System32. If any non-TrustedInstaller, non-SYSTEM, non-Administrators principal has write or modify permissions, that is a misconfiguration enabling this class of persistence. The creation of new files in System32 by non-system processes should generate a Sysmon Event ID 11 (FileCreate) alert as a standing detection rule.

Windows Defender Application Control (WDAC) service registration policy. WDAC policy can restrict which binaries are permitted to run as Windows services. A policy requiring services to be signed by a trusted certificate authority prevents this class of persistence outright — an unsigned swprv32.sys is blocked at service registration regardless of filesystem ACL state. This also covers the lateral movement stage: if AppleChris cannot register a service, it cannot establish the persistence mechanism that survived reboots for years.

SafeDllSearchMode verification. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1 is the default on modern Windows but verify it has not been disabled. SafeDllSearchMode changes the DLL resolution order to check System32 before the current working directory, which prevents DLL planting attacks that require a writable directory to precede the System32 path in the search order.

Stopping MemFun: In-Memory Execution Controls

MemFun operates through process hollowing into dllhost.exe (T1055.012) and reflective DLL loading (T1620). Both require capabilities that Windows security features can restrict without any third-party tooling.

Attack Surface Reduction (ASR) rule for lsass.exe access. Microsoft Defender ASR rule GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0 (Block credential stealing from the Windows local security authority subsystem) blocks lsass.exe memory access by processes not in a trusted list — a direct counter to Getpass. Rule GUID d1e49aac-8f56-4280-b9ba-993a6d77406c (Block process creations originating from PSExec and WMI commands) directly targets the WMI-based lateral movement (T1047) CL-STA-1087 used to spread AppleChris. These rules deploy via Group Policy and Intune without requiring a full WDAC policy and without the operational overhead of a complete application allowlist.

Restrict dllhost.exe network connectivity via Windows Firewall. dllhost.exe is a COM surrogate. It should never initiate outbound network connections to arbitrary external IPs. A Windows Firewall outbound rule blocking %SystemRoot%\System32\dllhost.exe connections to any destination outside explicitly permitted Microsoft IP ranges prevents MemFun from reaching its C2 server even if process hollowing succeeds. Legitimate COM surrogates do not make arbitrary outbound connections. The operational impact of this rule is negligible; the detection impact is immediate.

Enable the Microsoft-Windows-WMI-Activity/Operational event log. WMI lateral movement (T1047) leaves a specific trace: Event ID 5857 (provider loaded), Event ID 5860 (temporary subscription), Event ID 5861 (permanent subscription). This log is disabled by default on most Windows installations. Enabling it and forwarding to your SIEM is a zero-cost, high-fidelity detection source for WMI-based execution. Most environments have never activated it. The command to enable: wevtutil sl Microsoft-Windows-WMI-Activity/Operational /e:true. Deploy via Group Policy logon script across all endpoints and servers.

PowerShell Constrained Language Mode and AMSI enforcement. PowerShell Constrained Language Mode (CLM) prevents the reflection and .NET method invocation that obfuscated loaders rely on. AMSI (Antimalware Scan Interface) forces deobfuscation at the point of execution, catching scripts that look benign in static analysis. The six-hour sleep timer in CL-STA-1087's PowerShell scripts would still be caught by AMSI because the script content is inspected before execution, not after. Enforce CLM via Group Policy: Computer Configuration → Windows Settings → Security Settings → Application Control Policies. Without CLM, a PowerShell script can invoke arbitrary .NET assemblies in memory — the same capability MemFun uses.

Defeating the DDR Architecture: Process-Level Egress Inspection

The dead drop resolver technique survives because most organizations cannot distinguish between a browser loading a Pastebin page and malware doing the same. The architectural answer is enforced egress inspection at the process level, not the destination level.

Authenticated proxy enforcement with process identity correlation. Deploy an explicit HTTP/HTTPS proxy requiring Kerberos or NTLM authentication. Configure Windows Filtering Platform (WFP) rules via Windows Firewall to block all outbound port 80 and 443 traffic except to the proxy address. The result: any process that cannot authenticate to the proxy cannot reach the internet. AppleChris and MemFun do not authenticate to proxies. If proxy logs show a Pastebin request from a process that is not a browser or recognized update agent, that is an automatic escalation trigger. This does not require blocking Pastebin globally — it requires knowing which process is connecting to it.

DNS-layer monitoring for the DDR resolution sequence. The DNS query to pastebin.com or dropbox.com is a leading indicator — it occurs before the C2 connection. Monitor for DNS queries to these domains from hosts where no browser or recognized application has recently made legitimate queries. A server querying pastebin.com via a non-browser process, with no history of legitimate Pastebin access, is anomalous regardless of what the query returns. Flag it before the second connection ever occurs.

Tiered Administration: Closing the Lateral Movement Path

CL-STA-1087 spread from an unmanaged workstation to domain controllers, executive-level assets, and web servers. This breadth is only possible when credentials used on lower-trust systems can authenticate against higher-trust systems — the condition that Microsoft's Enterprise Access Model (formerly ESAE / Red Forest) is specifically designed to prevent.

The core principle: Tier 0 assets (domain controllers, Azure AD Connect, PKI, ADFS) must never be administered using credentials that have touched a Tier 1 (server) or Tier 2 (workstation) system. If a domain admin account logs into a workstation to read email, and that workstation is later compromised by Getpass, the domain admin credential is harvestable and the entire Tier 0 is exposed. The solution is dedicated Privileged Access Workstations (PAWs) per tier, separate admin accounts per tier with no password reuse or delegated logon rights across tiers, and the Protected Users security group applied universally to all Tier 0 accounts.

WMI and PSExec lateral movement stops at the tier boundary because no credential with Tier 0 rights has ever authenticated from a Tier 1 or Tier 2 system where it could be harvested. The CL-STA-1087 WMI lateral movement chain that reached domain controllers required credential material that had been used across tiers. A properly implemented tiered model makes that chain non-viable — not because WMI is blocked, but because the credentials required to reach Tier 0 systems are never present in memory on lower-tier hosts.

Frequently Asked Questions