A coordinated cyber espionage campaign involving three China-aligned threat clusters has targeted a Southeast Asian government organization throughout 2025, deploying sophisticated malware and backdoor tools.
Multiple Threat Clusters Identified
The activity has been traced to the following clusters:
- Mustang Panda (aka Stately Taurus) – active June to August 2025
- CL-STA-1048 – active March to September 2025, overlapping with Earth Estries and Crimson Palace clusters
- CL-STA-1049 – active April and August 2025, overlapping with Unfading Sea Haze
Palo Alto Networks Unit 42 researchers Palo Alto Networks Unit 42 noted, “The overlapping tactics, techniques, and procedures suggest a shared objective, with all clusters focused on persistent access to the targeted network.”
Mustang Panda Campaign
Between June 1 and August 15, 2025, Mustang Panda used the USB-based malware HIUPAN (aka USBFect, MISTCLOAK, U2DiskWatch) to deliver the PUBLOAD backdoor via a malicious DLL codenamed Claimloader. This loader was first observed in 2022 targeting Philippine government networks.
Further network analysis revealed deployment of COOLCLIENT, a long-standing Mustang Panda backdoor capable of:
- File download and upload
- Keystroke logging
- Packet tunneling
- Port mapping and system enumeration
CL-STA-1048 Operations
CL-STA-1048’s activity involved multiple noisy malware components:
- EggStremeFuel – lightweight backdoor with file transfer, directory enumeration, reverse shell control, and C2 updates
- EggStremeLoader – advanced backdoor framework supporting 59 commands, including Dropbox-enabled file transfer
- MASOL RAT (Backdr-NQ) – remote access trojan with arbitrary command execution and file operations
- TrackBak Stealer – information stealer that exfiltrates logs, clipboard data, network info, and files
These tools indicate a focus on broad data collection and network surveillance rather than immediate disruption.
CL-STA-1049 Activity
CL-STA-1049 employs a novel DLL loader called Hypnosis Loader, launched via DLL side-loading, to install FluffyGh0st RAT. The initial compromise vector for both CL-STA-1048 and CL-STA-1049 remains uncertain.
Strategic Objective
Unit 42 researchers concluded, “The convergence of these China-aligned clusters demonstrates a coordinated effort to achieve long-term access to sensitive government networks. The campaign was designed for persistent espionage, not just temporary disruption.”
The findings underscore the continuing sophistication and persistence of China-linked cyber operations in Southeast Asia, emphasizing the importance of enhanced monitoring and threat detection for government networks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
