my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Two Spy Campaigns, Two Completely Different Playbooks

John Z Black Mar 16, 2026 Threat Intelligence #espionage #apt #china #russia #signal #asean #military #threat-intelligence

Two state-sponsored espionage campaigns dropped in the same week. They couldn’t look more different. And that’s the whole point.

One is a Chinese operation that’s been lurking inside Southeast Asian military networks since 2020. Six years of custom backdoors, credential theft, and patient lateral movement through classified systems. The other is Russian hackers sending fake Signal support messages to trick diplomats into handing over their verification codes.

Custom malware vs. social engineering. Enterprise networks vs. a chat app. But both are working just fine.

The Chinese Operation: Six Years and Counting

Palo Alto’s Unit 42 tracked a group called CL-STA-1087 that built two previously unknown backdoors, AppleChris and MemFun, plus a credential harvester disguised as a legitimate Palo Alto tool. That’s some audacity right there.

AppleChris pulls its command-and-control addresses from encrypted Pastebin posts. Without the private key baked into the malware, you can’t even figure out where it’s calling home. The attackers went after domain controllers, IT workstations, and executive systems. They grabbed meeting records, joint military exercises, and C4I documentation.

The target list reads like an intelligence briefing on South China Sea tensions.

The Russian Play: Just Ask for the PIN

Dutch intelligence agencies warned about a “large-scale global” campaign targeting Signal and WhatsApp users. Government officials, military personnel, diplomats, journalists.

The attack is embarrassingly simple. Hackers impersonate Signal’s support team. They message targets about “suspicious activity.” Then they ask for the SMS verification code and PIN. With both, they take over the account. There’s also a QR code version that silently links the attacker’s device to your account.

No malware. No exploits. Just someone pretending to be tech support.

Why the Difference Matters

If you’re running a defense ministry in Southeast Asia, you need endpoint detection and lateral movement monitoring. Checking your Signal settings won’t help. If you’re a journalist covering Russian military operations, you need to spot fake support messages and audit your linked devices. Enterprise intrusion detection won’t help.

State espionage in 2026 isn’t one threat. It’s a whole spectrum. Your exposure depends entirely on who you are and which intelligence service cares about what you know.

Quick things to check: go to Signal Settings, then Linked Devices. If anything’s there you don’t recognize, remove it. And remember, Signal never provides support through the app. Anyone messaging you claiming otherwise is lying.

Read the full story: https://gnerdsec.com/blog/chinese-apt-asean-russian-signal-state-espionage-march-2026/