Three China-Linked Clusters Target Southeast Asia’s 2025 Cyber Campaign
Three sets of threat operations aligned with China have targeted the government agency in Southeast Asia as part of what has been described as a “complex and well-resourced operation.”
These campaigns have led to the use of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT, PoshRAT, TrackBak Steosie, RawpCoosie, RawpCoosie FluffyGh0st.
The work is listed in the following categories –
- June – August 2025: Mustang Panda (aka Stately Taurus).
- March – September 2025: CL-STA-1048, which overlaps with the collections publicly listed under the monikers Earth Estries and Crimson Palace.
- April and August 2025 – CL-STA-1049, which crossed the publicly documented cluster known as the Unfading Sea Haze.
 |
| Work timeline |
“These sets of activities overlap with publicly reported campaigns aimed at gaining sustained access,” said Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara. “The large overlap in tactics, strategies, and processes (TTPs) with known campaigns aligned with China suggests that the groups and the threat group have a common goal of interest, which may have coordinated their efforts.”
 |
| CL-STA-1048 26m transmission chain |
The Mustang Panda operation, recorded between June 1 and August 15, 2025, involves the use of a USB-based malware known as HIUPAN to deliver a PUBLOAD backdoor via a malicious DLL called Claimloader. The first threat actor use of Claimloader began in late 2022 in an attack targeting government agencies in the Philippines.
Further analysis of the victim’s network revealed the deployment of COOLLCLIENT, another known backdoor named Mustang Panda for more than three years. It supports file download/upload, key recording, packet tuning, and port map information capture.
The tools used by the CL-STA-1048 are as varied as they sound –
- EggStremeFuel, a lightweight backdoor equipped to download/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration.
- EggStremeLoader, another EggStreme malware component introduced by EggStremeFuel. It supports 59 backdoor commands to support extensive data theft. This includes a feature that helps download/upload a file via Dropbox.
- MASOL RAT (aka Backdr-NQ), a remote access trojan with file download/upload and command execution features.
- TrackBak, a hacker that collects logs, clipboard data, network information, and files from drives.
The work linked to CL-STA-1049, on the other hand, involves the use of a novel DLL loader called Hypnosis Loader, introduced by sideloading the DLL, to eventually install the FluffyGh0st RAT. The exact access vector used by CL-STA-1048 and CL-STA-1049 remains unclear.
“The convergence of these activity groups, all of which show connections to known actors aligned with China, point to a concerted effort to achieve a common strategic goal,” said Unit 42. “The attackers’ approach shows that they intended to gain long-term, sustained access to critical government networks, not just cause disruption.”
