A cyber-espionage campaign targeting military organizations across Southeast Asia has been uncovered, revealing a quiet but highly focused operation aiming at gathering sensitive defense intelligence.
In their analysis, Lior Rochberger and Yoav Zemah said the activity shows clear signs of patience and precision rather than large-scale data theft.
“The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection,” Rochberger and Zemah noted, adding that the attackers actively searched for files related to military capabilities, organizational structures, and collaboration with Western armed forces.
To carry out the attack, the hackers used two custom backdoor tools called AppleChris and MemFun, along with a password-stealing program named Getpass. This tool is based on Mimikatz, a well-known hacking utility used to pull login credentials from compromised systems.
With these tools, the attackers could steal login details, move from one system to another inside the network, and stay hidden in the environment for a long time while quietly gathering sensitive information.
The intrusion came to light after unusual PowerShell activity was noticed on affected systems. In one case, a script stayed inactive for six hours before waking up and opening a reverse connection to the attackers’ command-and-control (C2) server, allowing them to communicate with the compromised machine.
The initial access vector remains unknown, but the malware’s execution chain shows a carefully staged infection process.
The MemFun backdoor operates in multiple steps. It starts with a small loader that drops shellcode onto the system. That shellcode launches a downloader running directly in memory, which retrieves command-and-control details from Pastebin. The downloader then connects to the C2 server and downloads a DLL payload that ultimately launches the backdoor on the infected machine.
This campaign shows how cyber-espionage usually plays out: attackers stay quiet, stick around for a long time, and collect very specific intelligence.
In simple words, this wasn’t a flashy cyberattack, it was a slow, behind-the-scenes operation inside military networks.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
