CL-STA-1087: China APT Targets Military Networks Since 2020

SEVERITYHigh

EXPLOITActive Exploit

PATCH STATUSUnavailable

VENDORPalo Alto Networks

AFFECTEDSoutheast Asian military netwo...

CATEGORYCyber Attacks

Key Takeaways

Threat: CL-STA-1087 APT group linked to China
Target: Southeast Asian military organizations
Duration: Active since at least 2020
Scope: State-sponsored espionage campaign

Palo Alto Networks Uncovers CL-STA-1087 Espionage Campaign

Palo Alto Networks Unit 42 researchers disclosed on March 13, 2026, the discovery of a sophisticated cyber espionage operation targeting military organizations across Southeast Asia. The threat group, designated CL-STA-1087, has maintained persistent access to victim networks since at least 2020. Unit 42 analysts attribute the campaign to China-based threat actors based on operational patterns and strategic objectives.

The designation follows Unit 42's naming convention where CL indicates a threat cluster and STA denotes state-backed motivation. Researchers identified the group through analysis of attack infrastructure, malware families, and targeting patterns that align with Chinese strategic interests in the region.

Southeast Asian Military Networks Under Siege

The campaign specifically targets military organizations throughout Southeast Asia, though Unit 42 hasn't disclosed the exact number of affected countries or organizations. The threat actors demonstrated what researchers call "strategic operational patience," suggesting a long-term intelligence collection mission rather than opportunistic attacks.

Military networks in the region face heightened risk as CL-STA-1087 continues active operations. The group's focus on defense-related targets indicates potential interest in military capabilities, strategic planning, and regional security arrangements.

Long-Term Espionage Operations Revealed

CL-STA-1087 operates with the methodical approach typical of state-sponsored groups, maintaining persistent access to compromised networks for extended periods. The six-year timeline suggests the group prioritizes intelligence gathering over disruptive attacks.

Organizations should implement enhanced monitoring for indicators of compromise and review network access logs dating back to 2020. Military and defense contractors in Southeast Asia should coordinate with CISA's vulnerability catalog and apply critical security updates from Microsoft's Security Update Guide to close potential entry points.

Frequently Asked Questions

What is CL-STA-1087 and who operates it?+

CL-STA-1087 is a China-linked advanced persistent threat group identified by Palo Alto Networks Unit 42. The designation indicates a threat cluster with state-backed motivation targeting military organizations in Southeast Asia since 2020.

Which organizations are targeted by CL-STA-1087?+

The group specifically targets military organizations throughout Southeast Asia. While exact victim counts remain undisclosed, the campaign focuses on defense-related networks and strategic military infrastructure across the region.

How long has CL-STA-1087 been active?+

Palo Alto Networks Unit 42 traces CL-STA-1087 activity back to at least 2020, indicating a six-year espionage campaign. The group demonstrates strategic operational patience typical of long-term intelligence collection missions.

About the Author

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.