Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Three China-linked threat clusters have targeted a Southeast Asian government organization in a coordinated cyber campaign throughout 2025, deploying an arsenal of sophisticated malware families to establish persistent network access.

According to researchers from Palo Alto Networks Unit 42, the operation represents a "complex and well-resourced" effort involving overlapping tactics, techniques, and procedures (TTPs) that suggest coordination among the threat actors.

Timeline of Attacks

The campaign unfolded across three distinct activity clusters:

June-August 2025: Mustang Panda (Stately Taurus)

• Used USB-based malware HIUPAN (also known as USBFect, MISTCLOAK, or U2DiskWatch)
• Deployed rogue DLL codenamed Claimloader to deliver PUBLOAD backdoor
• First recorded use of Claimloader dates to late 2022 targeting Philippine government organizations
• Also deployed COOLCLIENT backdoor with file transfer, keystroke recording, and packet tunneling capabilities

March-September 2025: CL-STA-1048

• Overlaps with publicly documented clusters Earth Estries and Crimson Palace
• Deployed EggStreme malware framework including:
  • EggStremeFuel (RawCookie) - lightweight backdoor with file operations and reverse shell capabilities
  • EggStremeLoader (Gorem RAT) - supports 59 backdoor commands for extensive data theft
  • MASOL RAT (Backdr-NQ) - remote access trojan with file transfer and command execution
  • TrackBak stealer - collects logs, clipboard data, network information, and files from drives

April-August 2025: CL-STA-1049

• Overlaps with Unfading Sea Haze cluster
• Uses novel DLL loader called Hypnosis Loader launched via DLL side-loading
• Ultimately installs FluffyGh0st RAT

Malware Arsenal

The attackers deployed multiple sophisticated malware families:

• HIUPAN: USB-based malware for initial deployment
• PUBLOAD: Backdoor delivered through Claimloader
• EggStremeFuel/RawCookie: Lightweight backdoor with extensive capabilities
• EggStremeLoader/Gorem RAT: Component of EggStreme framework with 59 backdoor commands
• MASOL RAT/Backdr-NQ: Remote access trojan with file operations
• TrackBak: Information stealer collecting logs and clipboard data
• Hypnosis Loader: Novel DLL loader for CL-STA-1049
• FluffyGh0st RAT: Final payload for CL-STA-1049 operations
• COOLCLIENT: Long-standing Mustang Panda backdoor with keystroke recording

Strategic Implications

"The convergence of these activity clusters, all of which show links to known China-aligned actors, points to a coordinated effort to achieve a common strategic goal," Unit 42 researchers stated. "The attackers' methodology indicates they intended to gain long-term, persistent access to sensitive government networks, not just to cause disruption."

The overlapping TTPs and shared targeting suggest these clusters may be coordinating their efforts toward a common strategic objective, though the exact initial access vectors for CL-STA-1048 and CL-STA-1049 remain unclear.

This campaign highlights the sophisticated, persistent nature of China-linked cyber operations targeting Southeast Asian governments, with attackers employing multiple malware families and techniques to maintain long-term access to sensitive networks.

For organizations concerned about similar threats, implementing robust endpoint detection and response (EDR) solutions, monitoring for unusual USB activity, and maintaining strict network segmentation can help mitigate the risk of persistent access by advanced threat actors.

Related security developments include Google fixing two Chrome zero-days exploited in the wild, Apple addressing WebKit vulnerabilities, and Android 17 blocking non-accessibility apps from abusing the Accessibility API to prevent malware abuse.