SYMBOLCOMMON_NAMEaka. SYNONYMS
win.apple_chris (Back to overview)

AppleChris

Actor(s): CL-STA-1087

According to Unit 42, AppleChris is a custom Windows backdoor implemented as multiple Portable Executable (PE) binaries (EXEs and DLLs) that support flexible deployment, including DLL hijacking via the Volume Shadow Copy Service. It provides comprehensive remote access capabilities such as drive and directory enumeration, file upload/download/deletion, process listing and creation, and interactive shell execution, all controlled over HTTP using custom verbs and RSA/AES-encrypted C2 traffic. AppleChris uses a dead drop resolver design where C2 IPs are dynamically retrieved and decrypted, initially via a dual Dropbox + Pastebin mechanism (Dropbox variant) and later via a streamlined Pastebin-only approach (Tunneler variant). The newer Tunneler variant additionally introduces a proxy tunneling command that creates reverse TCP tunnels for network pivoting, while employing delayed execution and mutex-based single-instance checks to evade detection.

References
2026-03-12Palo Alto Networks Unit 42Lior Rochberger, Yoav Zemah
Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia
AppleChris CL-STA-1087

There is no Yara-Signature yet.