AppleChris, MemFun, and Getpass malware activity with persistent C2 and credential theft
Malware Activity
Summary
Hide ▲
Show ▼
The intrusion used AppleChris, MemFun, and Getpass to keep access on compromised Windows endpoints and steal credentials. The backdoors supported persistence, C2 access, and remote shell execution, while Getpass targeted plaintext passwords and NTLM hashes from lsass.exe memory. The tooling also relied on DLL hijacking, process hollowing, and delayed execution to evade detection.
Related Happenings
BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
First: 11.03.2026 00:57
Last: 11.03.2026 00:57
Sources 1
About this happening:
The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
BlackSanta EDR killer malware activity targeting HR departments
Malware ActivityAbout this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
AshTag modular .NET backdoor deployment via sideloading
Malware Activity
First: 11.12.2025 13:00
Last: 11.12.2025 13:00
Sources 1
About this happening:
The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
AshTag modular .NET backdoor deployment via sideloading
Malware ActivityAbout this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
CDrivers macOS malware chain with LaunchAgent persistence and credential theft
Malware Activity
First: 25.11.2025 15:45
Last: 25.11.2025 15:45
Sources 1
About this happening:
A **macOS malware chain** centered on **CDrivers** now combines staged scripts, a **LaunchAgent** persistence mechanism, and a **Chrome-style password window** to steal credential...
CDrivers macOS malware chain with LaunchAgent persistence and credential theft
Malware ActivityAbout this happening: A **macOS malware chain** centered on **CDrivers** now combines staged scripts, a **LaunchAgent** persistence mechanism, and a **Chrome-style password window** to steal credential...
Airstalk malware abusing AirWatch MDM APIs for covert C2
Malware Activity
First: 31.10.2025 18:08
Last: 31.10.2025 18:08
Sources 1
About this happening:
The **Airstalk** malware activity linked to **CL-STA-1009** is abusing **AirWatch/Workspace ONE MDM APIs** for covert **command-and-control** and data theft, increasing stealth ri...
Airstalk malware abusing AirWatch MDM APIs for covert C2
Malware ActivityAbout this happening: The **Airstalk** malware activity linked to **CL-STA-1009** is abusing **AirWatch/Workspace ONE MDM APIs** for covert **command-and-control** and data theft, increasing stealth ri...
Timeline
-
13.03.2026 19:33 2 articles · 2mo ago
CL-STA-1087 uses AppleChris, MemFun, and Getpass against Southeast Asian military organizations
Technical Analysis UpdatePalo Alto Networks Unit 42 tracks CL-STA-1087 as a suspected China-based cyber espionage campaign against Southeast Asian military organizations that has operated since at least 2020. The activity uses AppleChris and MemFun backdoors plus the Getpass credential harvester to maintain persistence, resolve command-and-control through Pastebin and Dropbox dead drops, execute DLL hijacking and process hollowing, and extract plaintext passwords, NTLM hashes, and authentication data from lsass.exe memory while evading detection with delayed execution and sandbox checks.
Show sources
- Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware — thehackernews.com — 13.03.2026 19:33
- Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware — thehackernews.com — 13.03.2026 19:33