Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign
Tahdid tlati (Triple Threat): Tlata dial majmou3at mtabtin b l-Chin tjam3ou 3la hokouma f janoub charq-Assya
Triple Threat: Three China-Linked Clusters Converge on Southeast Asian Government
TL;DR
In 2025, three distinct China-aligned threat clusters—including the prolific Mustang Panda—targeted a single Southeast Asian government organization. Using an extensive arsenal of malware such as HIUPAN, PUBLOAD, and FluffyGh0st, researchers believe these groups may be coordinating efforts to establish long-term persistent access for high-level espionage.
A "complex and well-resourced" cyber operation has been uncovered targeting a government organization in Southeast Asia throughout 2025. According to researchers from Palo Alto Networks Unit 42, the campaign involves three distinct clusters of activity, all of which align with Chinese state interests.
The convergence of these groups suggests a concentrated effort to maintain persistent access to sensitive government networks rather than seeking to cause immediate disruption.
The Three Faces of the Campaign
Analysis of the 2025 activity has attributed the operation to three specific clusters, each with overlapping timelines and varying tactics, techniques, and procedures (TTPs):
1. Mustang Panda (aka Stately Taurus)
Timeline: June – August 2025
This well-known threat actor focused on high-level backdoor deployment. Their toolkit included:
- HIUPAN: A USB-based malware (also known as USBFect or MISTCLOAK) used to deliver the PUBLOAD backdoor.
- Claimloader: A rogue DLL used to facilitate the infection chain.
- COOLCLIENT: A sophisticated backdoor that supports keystroke recording, packet tunneling, and port mapping.
2. CL-STA-1048 (Earth Estries / Crimson Palace)
Timeline: March – September 2025
This cluster utilized a diverse and "noisy" set of tools from the EggStreme malware framework:
- EggStremeFuel: A lightweight backdoor tasked with file enumeration and C2 configuration updates.
- EggStremeLoader (Gorem RAT): A robust component supporting 59 backdoor commands, including file transfers via Dropbox.
- MASOL RAT: A remote access trojan used for arbitrary command execution.
- TrackBak Stealer: An information stealer designed to harvest logs, clipboard data, and network information.
3. CL-STA-1049 (Unfading Sea Haze)
Timeline: April and August 2025
This cluster utilized more specialized, stealthy loaders:
- Hypnosis Loader: A novel DLL loader launched via side-loading.
- FluffyGh0st RAT: The final payload delivered by the Hypnosis Loader to maintain control over the target system.
Coordination and Persistent Access
Researchers Doel Santos and Hiroaki Hara of Unit 42 noted significant overlaps in the campaigns. The presence of three separate clusters targeting the same entity simultaneously points toward a common strategic goal.
The use of Claimloader, for instance, dates back to 2022 attacks on government organizations in the Philippines, suggesting these actors are revisiting and refining successful methods. By deploying a mix of USB-based propagation (HIUPAN) and sophisticated loaders (Hypnosis), the actors ensured that if one point of entry was discovered, others remained active.
Technical Gaps
While the malware families and their commands have been extensively documented, the exact initial access vectors used by CL-STA-1048 and CL-STA-1049 remain unclear. Furthermore, while the clusters overlap in TTPs and targets, the specific level of direct collaboration between these groups (whether they are sharing infrastructure or simply operating under the same mandate) is still being assessed.
Conclusion
The 2025 campaign against Southeast Asian government infrastructure represents a masterclass in persistent cyber espionage. By utilizing multiple clusters and a rotating library of backdoors—ranging from the broad EggStreme framework to the targeted FluffyGh0st RAT—Chinese-aligned actors have demonstrated a Tier-1 capability to infiltrate and reside within high-value networks.
Security teams in the region are advised to monitor for DLL side-loading activities and USB-based propagation patterns associated with the HIUPAN and PUBLOAD families.
Source: The Hacker News
