← Back to Security Blog
Security Briefing March 16, 2026 8 min read

Chinese APT Targets Southeast Asian Militaries, Loblaw & Starbucks Data Breaches, Critical HPE Vulnerability, and Iran-Linked Cyber Escalation

A Chinese state-sponsored APT deploys custom AppleChris and MemFun malware in a years-long espionage campaign against Southeast Asian military organizations. Loblaw and Starbucks report data breaches affecting customers and employees. A critical HPE AOS-CX vulnerability enables unauthenticated admin password resets. Iran-linked hackers expand targeting to US critical infrastructure. AI security startups raise $80 million combined. FBI investigates malware-laden Steam games.


🇨🇳 Chinese APT Targets Southeast Asian Militaries with Custom Malware

Palo Alto Networks Unit 42 has disclosed a sophisticated, years-long cyber espionage campaign tracked as CL-STA-1087 — a suspected China-based threat cluster targeting Southeast Asian military organizations since at least 2020.

Campaign Details

The attackers deployed two custom malware families — AppleChris and MemFun — using carefully crafted delivery methods, defense evasion strategies, and highly stable operational infrastructure. The campaign focused on highly targeted intelligence collection rather than bulk data theft, specifically seeking files on military capabilities, organizational structures, and collaborative efforts with Western armed forces.

Technical Indicators

NIS2 & DORA Implications

While this campaign targets Southeast Asian militaries, European defense and critical infrastructure organizations face similar APT threats from state actors. Under NIS2 Article 21, essential entities — including defense suppliers and critical infrastructure operators — must implement measures to address state-sponsored cyber threats, including:


🔓 Loblaw & Starbucks Data Breaches

Loblaw: Customer Information Compromised

Loblaw Companies Limited, Canada's largest food retailer, has confirmed a data breach exposing customer personal information including names, email addresses, and phone numbers. The breach scope and attack vector have not been fully disclosed.

Starbucks: Employee Portal Phishing

Starbucks reported a data breach impacting employees, stemming from phishing attacks targeting an employee portal. Hundreds of employees are affected, with compromised data including personal employment details.

Pattern Recognition

Two major retailers breached in the same week highlights a broader pattern: phishing remains the dominant initial access vector for enterprise breaches. For NIS2-regulated entities, these incidents reinforce the mandatory requirement for security awareness training (Article 21(2)(g)) and multi-factor authentication across all employee-facing portals.

GDPR & Breach Notification

While both companies are North American, any EU customer data involved triggers GDPR Article 33/34 breach notification obligations. European organizations with similar employee portals should treat these breaches as a case study for their own incident response readiness.


⚠️ Critical HPE AOS-CX Vulnerability — Unauthenticated Admin Password Reset

A critical vulnerability in HPE AOS-CX network switches allows remote, unauthenticated attackers to reset administrator passwords, effectively bypassing all existing authentication controls.

Severity: Critical

This vulnerability can be exploited remotely without authentication to circumvent existing authentication controls on HPE AOS-CX switches — widely deployed in enterprise and critical infrastructure networks. Organizations running affected firmware must patch immediately.

Impact Assessment

Factor Detail
Attack Vector Remote, unauthenticated — no credentials required
Impact Complete admin takeover of network switches
Affected Product HPE AOS-CX network switch firmware
Mitigation Apply HPE security patch immediately; restrict management interface access

NIS2 compliance note: Network infrastructure vulnerabilities fall directly under Article 21(2)(e) — security in network and information systems acquisition, development, and maintenance. Organizations must have processes to identify, assess, and patch critical network device vulnerabilities within defined SLAs.


🇮🇷 Iran-Linked Hackers Escalate Critical Infrastructure Targeting

Pro-Iranian hacking groups are expanding their targeting from the Middle East to the United States, raising the risk of cyberattacks against defense contractors, power stations, and water treatment plants.

Stryker Manufacturing Attack

An Iran-linked attack on medical device manufacturer Stryker disrupted manufacturing and shipping operations. Notably, the attackers leveraged existing endpoint management software rather than deploying malware to wipe devices — a living-off-the-land technique that evades traditional security tools.

Defensive insight: The use of legitimate endpoint management tools for destructive purposes means organizations cannot rely solely on malware detection. Behavioral monitoring, anomaly detection in administrative tool usage, and privileged access management are essential countermeasures.

Regulatory Framework Response


💰 AI Security Startups Raise $80 Million

Two AI-focused security startups emerged from stealth this week, each securing $40 million in funding:

Bold Security

Bold Security uses AI to turn devices into active agents that understand user actions and provide real-time protection. The approach represents a shift from reactive signature-based detection toward proactive, behavior-aware security.

Onyx Security

Onyx Security is building a control pane for autonomous AI agents, helping organizations oversee and rapidly adopt AI agents while maintaining security guardrails. As enterprises deploy more AI agents, governance and oversight become critical security functions.

Market Signal

$80 million flowing into AI security in a single week confirms that the market recognizes AI agent governance and behavioral security as the next major growth vectors. For NIS2-regulated organizations evaluating AI adoption, both startups' approaches align with the EU AI Act's requirements for high-risk AI system oversight.


🎮 FBI Investigates Malware-Laden Steam Games

The FBI is seeking victims who installed any of eight Steam games found to contain malware. The games were uploaded to Valve's gaming platform and distributed to unsuspecting players before being removed.

Supply chain lesson: Even trusted distribution platforms like Steam can be vectors for malware delivery. NIS2's supply chain security requirements (Article 21(2)(d)) extend to all software distribution channels — organizations should maintain application whitelists and monitor for unauthorized software installations.


🛡️ Apple & Meta Security Updates

Apple Patches Coruna Exploits in Legacy iOS

Apple released iOS 16.7.15 and iOS 15.8.7 to patch vulnerabilities exploited by "Coruna" — a US defense contractor linked to commercial exploit development. Organizations with legacy iOS devices in their fleet must update immediately.

Meta Disrupts 150,000 Scam Accounts

Meta disabled over 150,000 accounts powering scam centers across Asia, while launching new protection tools for users. The crackdown targets organized fraud operations using social media for phishing and financial scams.


🔧 New Tool: Betterleaks Secrets Scanner

A new open-source tool called Betterleaks has been released as a replacement for the popular Gitleaks secrets scanner. It can scan directories, files, and git repositories to identify valid secrets using default or customized rules.

For security teams: Secret scanning is a NIS2 and DORA compliance requirement for preventing credential exposure. Betterleaks' customizable rule engine makes it suitable for CI/CD pipeline integration — a must-have for software development organizations under NIS2 scope.


📋 Today's Compliance Action Items

  1. Patch critical: HPE AOS-CX admin password reset vulnerability — unauthenticated RCE-equivalent. Patch or restrict management interface access immediately
  2. Update legacy iOS: Apple iOS 16.7.15 and 15.8.7 address actively exploited Coruna vulnerabilities
  3. APT threat hunt: Review for indicators associated with CL-STA-1087 (AppleChris/MemFun) if your organization has defense sector exposure
  4. Phishing defenses: Loblaw and Starbucks breaches remind us — audit employee portal MFA coverage and phishing simulation program effectiveness
  5. Living-off-the-land detection: The Iran/Stryker attack used legitimate tools destructively — review endpoint management tool audit logs and implement behavioral baselines
  6. Secret scanning: Evaluate Betterleaks for CI/CD pipeline integration to prevent credential exposure in code repositories
  7. Steam audit: If your organization permits gaming on corporate devices, check for the eight FBI-flagged Steam titles

Automate Your Compliance Monitoring with KENSAI

Continuous vulnerability scanning, supply chain risk assessment, and regulatory compliance mapping for NIS2, DORA, GDPR, and EU AI Act.

Start Free Security Scan →

Stay compliant. Stay secure.

🗡️ KENSAI Security & Compliance Team

March 16, 2026

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

Related Articles

Google API Keys Leak Gemini AI... CISA ने पैच डेडलाइन घटाई البرلمان الأوروبي يبسط قانون الذكاء الاصطناعي، يرفض فحص CSAM، فجوات NIS2، قواعد