Unlike standard Mimikatz, it automates its harvesting routine and logs stolen credentials to files rather than providing an interactive interface.
This enables attackers to move laterally and maintain persistent access across compromised networks.
“Our analysis suggests that the attackers maintained communication with multiple compromised networks over an extended period, leveraging Pastebin and Dropbox for C2 distribution,” Yoav and Lior say.
“Notably, while the AppleChris Dropbox samples we encountered appeared to be older than the Tunneler samples, they were still functional and in active use at the time of our investigation.
“Evidence suggests the threat actor behind the activity cluster continues to update their Dropbox account with updated infrastructure files.
The Unit 42 report highlights a sophisticated, targeted espionage campaign using AppleChris, MemFun and Getpass to infiltrate military networks.
These tools demonstrate advanced evasion, in‑memory execution and credential harvesting techniques, emphasising the persistent, state‑linked nature of modern cyber threats and the critical need for robust cybersecurity defences.
