Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign Ravie LakshmananMar 30, 2026Threat Intelligence / Network Intrusion Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a "complex and well-resourced operation." The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT, PoshRAT, TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st. The activity has been attributed to the following clusters - June - August 2025: Mustang Panda (aka Stately Taurus).  March - September 2025: CL-STA-1048, which overlaps with clusters publicly documented under the monikers Earth Estries and Crimson Palace. April and August 2025 - CL-STA-1049, which overlaps with a publicly documented cluster known as Unfading Sea Haze. Activity timeline "These activity clusters overlap with publicly reported campaigns aimed at establishing persistent access," Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara said. "Significant overlap in tactics, techniques, and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest, potentially coordinating their effort." Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader. The threat actor's first recorded use of Claimloader dates back to late 2022 in attacks targeting government organizations in the Philippines.  Additional analysis of the victim network has uncovered the deployment of COOLCLIENT, another known backdoor attributed to Mustang Panda for more than three years. It supports file download/upload, keystroke recording, packet tunneling, and port map information capture. The tools used by CL-STA-1048 vary as they are noisy - EggStremeFuel, a lightweight backdoor that's equipped to download/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration. EggStremeLoader, another component of the EggStreme malware framework that's launched by EggStremeFuel. It supports 59 backdoor commands to support extensive data theft. This includes a variant that facilitates file download/upload over Dropbox. MASOL RAT (aka Backdr-NQ), a remote access trojan with file download/upload and arbitrary command execution features. TrackBak, an information stealer that collects logs, clipboard data, network information, and files from drives. The activity linked to CL-STA-1049, on the other hand, involves the use of a novel DLL loader called Hypnosis Loader, which is launched via DLL side-loading, to ultimately install FluffyGh0st RAT. The exact initial access vector used by CL-STA-1048 and CL-STA-1049 remains unclear. "The convergence of these activity clusters, all of which show links to known China-aligned actors, points to a coordinated effort to achieve a common strategic goal," Unit 42 said. "The attackers' methodology indicates they intended to gain long-term, persistent access to sensitive government networks, not just to cause disruption." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, china, cybersecurity, data theft, Malware, network intrusion, Remote Access Trojan, Threat Intelligence Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Load More ▼ Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures Guide - Discover How to Validate AI Risks With Adversarial Testing