Countering 'Strategic Patience': CL-STA-1087 and the SE Asia Military Threat

Just caught the Unit 42 report on CL-STA-1087 (the campaign targeting Southeast Asian militaries with AppleChris and MemFun). The description of their "strategic operational patience" is a red flag for anyone defending high-value targets.

While the AppleChris backdoor gets the headlines, the use of MemFun—a memory-resident loader—is the real headache for SOC teams. It implies a heavy focus on evasion, leaving minimal disk artifacts. If you're relying solely on EDR alerts for file writes, you're already blind to this one.

Since we don't have public IoCs yet, I'm pivoting to behavioral hunting. We need to look for anomalies in process injection chains and unsigned DLL loads related to standard office suites. Here is a basic KQL query I'm tuning to catch potential loader activity, specifically looking for suspicious parent-child relationships:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "rundll32.exe", "regsvr32.exe")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

How is everyone else handling the detection of memory-only loaders in restricted environments? Are you leaning heavily on EDR telemetry or implementing stricter application allowlisting?