China-linked groups hit a Southeast Asian government in 2025, deploying multiple malware families in a sophisticated cyber campaign.
In 2025, three China-linked threat clusters targeted a Southeast Asian government in a complex, well-funded cyber operation. Threat actors deployed numerous malware types, including HIUPAN, PUBLOAD, EggStremeFuel/Loader, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st, showing advanced tactics and persistent access to sensitive systems.
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze, active in April and August 2025.
“Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia.” reads the report published by Palo alto Networks. “These activity clusters overlap with publicly reported campaigns aimed at establishing persistent access. Significant overlap in tactics, techniques and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest, potentially coordinating their effort.”
In 2025, the China-linked threat group Stately Taurus, also known as Mustang Panda, carried out a targeted cyber campaign against a Southeast Asian government, primarily leveraging PUBLOAD malware propagated via USBFect-infected drives.
“On June 1, 2025, we detected PUBLOAD activity attributed to Stately Taurus across multiple endpoints at a government entity in Southeast Asia.” continues the report. “Our investigation found the origin of this activity was likely a USB drive containing USBFect. USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement.”
USBFect, a worm closely related to the previously documented HIUPAN family, enabled the malware to spread laterally across multiple endpoints, automatically installing malicious components such as EVENT.dll and using ClaimLoader to decrypt and execute shellcode in memory. PUBLOAD collected and exfiltrated critical system information, including volume details, computer names, usernames, and system tick counts, over TCP with obfuscated TLS-like headers, and remained active on infected endpoints until mid-August 2025. In addition to PUBLOAD operations, the investigation identified activity associated with CoolClient loaders, which employed advanced anti-disassembly techniques to evade analysis and relied on the HP-Socket library to maintain a flexible, multi-protocol client/server connection.
CoolClient could upload and delete files, route network traffic, record keystrokes, and send port information. This shows it was used to collect data and move through the network. Together with PUBLOAD, CoolClient shows that Stately Taurus carefully planned the attack, keeping access to the systems, using multiple tools, and staying connected to important targets throughout the campaign.
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak. EggStremeFuel used RC4-encrypted C2 configs to upload/download files and control reverse shells. Masol RAT and EggStreme Loader provided backdoor access, keylogging, and in-memory payload execution, while TrackBak stole keystrokes, clipboard data, and network info. Tooling and methods link CL-STA-1048 to China-affiliated activity.
Cluster CL-STA-1049 used a stealthy “Hypnosis” DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable. The loader injects itself, maintains execution, decrypts, and loads the final payload, which communicates with attacker-controlled C2 domains. FluffyGh0st, linked to China-aligned groups like Unfading Sea Haze and Sophos-tracked Crimson Palace, enables remote control and plugin-based functionality, showing advanced persistence and espionage capabilities.
“The attackers’ methodology indicates they intended to gain long-term, persistent access to sensitive government networks, not just to cause disruption. These well-resourced adversaries used diverse tool sets, including Stately Taurus’s USB propagation, CL-STA-1048’s multi-payload strategy and CL-STA-1049’s stealthy FluffyGh0st RAT.” concludes the report. “Their primary goal was to continuously locate and exfiltrate data, as evidenced by the deployment of infostealers and comprehensive backdoors.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China-linked groups)
