Key Findings

• Three China-linked threat clusters targeted a Southeast Asian government organization throughout 2025 in a sophisticated, well-resourced cyber campaign

• Mustang Panda (Stately Taurus) deployed PUBLOAD malware via USB-infected drives between June and August 2025

• CL-STA-1048 cluster operated from March to September 2025, using multiple espionage tools including EggStremeFuel, MASOL RAT, and TrackBak Stealer

• CL-STA-1049 cluster active in April and August 2025 used the novel Hypnosis Loader to deploy FluffyGh0st RAT

• Overlapping tactics and shared targeting suggest potential coordination between the three clusters toward common strategic objectives

• Attackers prioritized establishing persistent access for long-term data exfiltration rather than causing disruption

Background

In 2025, Palo Alto Networks Unit 42 researchers uncovered a series of coordinated cyberespionage campaigns targeting a government organization in Southeast Asia. The investigation revealed activity from three distinct threat clusters, all showing alignment with known China-linked threat actors. The campaigns employed diverse malware families and demonstrated careful planning, significant resources, and advanced operational security. The convergence of these separate but overlapping activities suggests the clusters may have been working toward a common strategic goal.

Mustang Panda's USB-Based Campaign

Between June 1 and August 15, 2025, Mustang Panda, also known as Stately Taurus, executed a targeted campaign primarily leveraging PUBLOAD malware. The initial infection vector was USB drives infected with USBFect, a worm closely related to the HIUPAN malware family. USBFect automatically spread across multiple endpoints, installing malicious components including EVENT.dll and using ClaimLoader to decrypt and execute shellcode directly in memory.

PUBLOAD served as the primary backdoor, collecting and exfiltrating critical system information including volume details, computer names, usernames, and system tick counts. The malware communicated over TCP using obfuscated TLS-like headers and remained active across infected endpoints until mid-August 2025.

Investigators also identified activity associated with CoolClient loaders, which employed advanced anti-disassembly techniques to evade security analysis. CoolClient leveraged the HP-Socket library to maintain flexible multi-protocol client-server connections, enabling file uploads and deletions, network traffic routing, keystroke recording, and port information collection. This combination demonstrated Mustang Panda's careful planning and commitment to maintaining persistent access across critical systems throughout the campaign.

CL-STA-1048's Multi-Tool Espionage Operation

Operating from March through September 2025, the CL-STA-1048 cluster deployed a comprehensive arsenal of espionage tools against the same Southeast Asian target. This toolkit included EggStremeFuel, MASOL RAT, EggStreme Loader (also called Gorem RAT), and TrackBak Stealer, each serving specific objectives within the overall campaign.

EggStremeFuel functioned as a lightweight backdoor equipped with RC4-encrypted command and control configurations, enabling file upload and download capabilities along with reverse shell control. MASOL RAT and EggStreme Loader provided deeper backdoor access with keylogging functionality and in-memory payload execution capabilities, significantly expanding the attackers' operational flexibility.

TrackBak Stealer specialized in harvesting sensitive data, collecting keystrokes, clipboard contents, and network information from infected systems. The tooling and operational methods employed by CL-STA-1048 directly link this cluster to China-affiliated threat activity, according to Unit 42 researchers.

CL-STA-1049's Stealthy DLL Loader Campaign

Active during April and August 2025, cluster CL-STA-1049 employed a notably stealthy approach using the Hypnosis DLL loader to deploy FluffyGh0st RAT. The attack chain utilized DLL sideloading with a legitimate Bitdefender executable, allowing the loader to inject itself and maintain execution while decrypting and loading the final payload.

FluffyGh0st RAT communicated with attacker-controlled command and control domains and provided remote control capabilities along with plugin-based functionality, enabling flexible adaptation to operational requirements. The malware's advanced persistence and espionage capabilities link it to other China-aligned groups including Unfading Sea Haze and the group Sophos tracks as Crimson Palace, indicating possible operational overlap or shared tactics development across multiple Chinese-sponsored threat actors.

Coordinated Strategic Objectives

The convergence of these three separate activity clusters, each demonstrating tactical sophistication and resource investment, indicates potential coordination toward shared strategic objectives. While each cluster maintained distinct operational approaches and tool preferences, the overlapping targeting of the same government organization suggests more than coincidental interest.

The attackers' methodology consistently prioritized establishing long-term persistent access to sensitive government networks rather than pursuing disruptive attacks. The deployment of comprehensive infostealers and backdoors across multiple systems enabled continuous data location and exfiltration operations. The significant overlap in tactics, techniques, and procedures across all three clusters with known China-aligned campaigns indicates the threat groups likely share common intelligence requirements or coordination mechanisms, possibly reflecting broader Chinese state interests in Southeast Asian government operations.

Sources

• https://securityaffairs.com/190174/apt/china-linked-groups-target-southeast-asian-government-with-advanced-malware-in-2025.html

• https://thehackernews.com/2026/03/three-china-linked-clusters-target.html

• https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/