Three China-aligned threat activity clusters targeted government agencies in Southeast Asia as part of a “complex and well-funded operation.”
This campaign introduced various malware families including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT, PoshRAT, TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st.
This activity has been attributed to the following clusters:
June to August 2025: Mustang Panda (aka Stately Taurus). March to September 2025: CL-STA-1048. It overlaps with clusters publicly documented under the names Earth Estries and Crimson Palace. April and August 2025 – CL-STA-1049, which overlaps with the publicly documented cluster known as Unfading Sea Haze.
Activity timeline
“These clusters of activities overlap with publicly reported campaigns aimed at establishing persistent access,” said Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara. “The significant overlap in tactics, techniques, and procedures (TTPs) with known China-aligned campaigns suggests that the cluster and threat groups have common interests and may be coordinating their efforts.”
CL-STA-1048 infection chain 26m
Mustang Panda activity, recorded from June 1 to August 15, 2025, used USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor through a malicious DLL codenamed Claimloader. The first recorded use of Claimloader by this threat actor dates back to attacks targeting government agencies in the Philippines in late 2022.
Further analysis of the victim’s network revealed the deployment of another known backdoor, COOLCLIENT, which has been attributed to Mustang Panda for over three years. Supports file download/upload, keystroke logging, packet tunneling, and capturing port map information.
The tools used in CL-STA-1048 are different because they are noisy.
EggStremeFuel is a lightweight backdoor that downloads/uploads files, enumerates files and directories, starts or exits a reverse shell, sends the current global IP address, and updates the C2 configuration. EggStremeLoader is another component of the EggStreme malware framework that is launched by EggStremeFuel. Supports 59 backdoor commands and supports large-scale data theft. This includes variants that facilitate downloading/uploading files via Dropbox. MASOL RAT (also known as Backdr-NQ) is a remote access Trojan with file download/upload and arbitrary command execution capabilities. TrackBak is an information stealer that collects logs, clipboard data, network information, and files from your drives.
Meanwhile, activity related to CL-STA-1049 includes the use of a new DLL loader called Hypnosis Loader that is launched via DLL sideloading and ultimately installs the FluffyGh0st RAT. The exact initial access vector used by CL-STA-1048 and CL-STA-1049 remains unknown.
“The convergence of these groups of activities all demonstrate connections with known China-aligned actors and demonstrate a coordinated effort to achieve common strategic goals,” Unit 42 said. “The attackers’ tactics demonstrate that they intended not only to cause disruption, but also to gain long-term, sustained access to sensitive government networks.”
Source link
