{"id":427,"date":"2026-03-30T08:01:43","date_gmt":"2026-03-30T08:01:43","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=427"},"modified":"2026-03-30T08:01:43","modified_gmt":"2026-03-30T08:01:43","slug":"three-china-linked-clusters-target-southeast-asian-government-in-2025-cyber-campaign","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=427","title":{"rendered":"Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 30, 2026<\/span><\/span><span class=\"p-tags\">Threat Intelligence \/ Network Intrusion<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjMVmr08UFvUwMkDRW62724LCJu5Z774vza7r8UADDdCZcBFNJTeJ9WPFkt4BLIknMuCpLYow39D0rgDkTkftiSLBxtPsG3YW6Y7CRiPRxye2Con9Z1lP77VcDv2PA4UJ4PP6nNSCLX0cOKLKJOTCnVerXQ4w5we9s3rMTBbUMMX2hZBB5MLu5t4Ll3YFPe\/s1700-e365\/chinese-hackers.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a \u00abcomplex and well-resourced operation.\u00bb<\/p>\n<p>The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT, <a href=\"https:\/\/advisories.checkpoint.com\/defense\/advisories\/public\/2018\/cpai-2018-0711.html\/\" rel=\"noopener\" target=\"_blank\">PoshRAT<\/a>, TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The <a href=\"https:\/\/blogs.jpcert.or.jp\/en\/2026\/02\/jsac2026day1.html#:~:text=Attribution%20in%20Action%3A%20A%20Case%20Study%20of%20an%20Incident%20Involving%20Multiple%20Activity%20Clusters\" rel=\"noopener\" target=\"_blank\">activity<\/a> has been attributed to the following clusters &#8211;<\/p>\n<ul>\n<li>June &#8211; August 2025: Mustang Panda (aka Stately Taurus).\u00a0<\/li>\n<li>March &#8211; September 2025: CL-STA-1048, which overlaps with clusters publicly documented under the monikers Earth Estries and Crimson Palace.<\/li>\n<li>April and August 2025 &#8211; CL-STA-1049, which overlaps with a publicly documented cluster known as Unfading Sea Haze.<\/li>\n<\/ul>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgpKEf0nTOqVhyphenhyphenWLgLDFut3jYT_2ZkXa5le5FtX1e4tYw9Yw0tIFlFao2RfO98jocePLmAiUpMNlD-kAeqOXZi8z2N2FD3gRvNMP59Uzvw83ZHfASO123VkMGEpaiW_QFF8QjAz9g97cXw5Hm_sXuAQg5i-VU7Qw5fXK9PWm1i0Wx4In-UU-S2zGSm5nfHz\/s1700-e365\/time.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgpKEf0nTOqVhyphenhyphenWLgLDFut3jYT_2ZkXa5le5FtX1e4tYw9Yw0tIFlFao2RfO98jocePLmAiUpMNlD-kAeqOXZi8z2N2FD3gRvNMP59Uzvw83ZHfASO123VkMGEpaiW_QFF8QjAz9g97cXw5Hm_sXuAQg5i-VU7Qw5fXK9PWm1i0Wx4In-UU-S2zGSm5nfHz\/s1700-e365\/time.png\" alt=\"\" border=\"0\" data-original-height=\"760\" data-original-width=\"2384\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Activity timeline<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00abThese activity clusters overlap with publicly reported campaigns aimed at establishing persistent access,\u00bb Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara <a href=\"https:\/\/unit42.paloaltonetworks.com\/espionage-campaigns-target-se-asian-government-org\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abSignificant overlap in tactics, techniques, and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest, potentially coordinating their effort.\u00bb<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiI2g2aSHQq-IjHtKBGTRYwQ4HufO6qLf5ClaRv2E4yIm2_L4OX1Y8mfgWV4ZY2GQvvuyIbTk17t5N8DBNFDfo655iuQHBGMdCFArdIaNIIweuK1GG-HneJd26rqh2vP908IYhC8wpXSUNEZCNetDoCutEvVHuUoIc8LHKZapVLss7HWuTuRbVkQrJH01XA\/s1700-e365\/rawcookie.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiI2g2aSHQq-IjHtKBGTRYwQ4HufO6qLf5ClaRv2E4yIm2_L4OX1Y8mfgWV4ZY2GQvvuyIbTk17t5N8DBNFDfo655iuQHBGMdCFArdIaNIIweuK1GG-HneJd26rqh2vP908IYhC8wpXSUNEZCNetDoCutEvVHuUoIc8LHKZapVLss7HWuTuRbVkQrJH01XA\/s1700-e365\/rawcookie.png\" alt=\"\" border=\"0\" data-original-height=\"1018\" data-original-width=\"1680\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Infection chain of CL-STA-1048 26m<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader. The threat actor&#8217;s first recorded use of Claimloader dates <a href=\"https:\/\/www.lac.co.jp\/lacwatch\/report\/20221117_003189.html\" rel=\"noopener\" target=\"_blank\">back to late 2022<\/a> in attacks targeting government organizations in the Philippines.\u00a0<\/p>\n<p>Additional analysis of the victim network has uncovered the deployment of COOLCLIENT, another known backdoor attributed to Mustang Panda for more than three years. It supports file download\/upload, keystroke recording, packet tunneling, and port map information capture.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-dr-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqhIRUj1YTC94RNdUGjmL9vDt5o56pkuKHyTGP8DvhM0bsTe7VSW-pHKY9HaAKsXk4J3x3gREcX_ZtLx04zPaI1UqHjcBD9QquXjOczTKwcJeGnTUqH73_QRG4d0Ki0KBKChGP48m-7VzU7UTgCWdz7hBtd51XbCyMUXu9PBBQt1sbO1V4WLWu4QrEBTZA\/s728-e100\/ciso-dark-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The tools used by CL-STA-1048 vary as they are noisy &#8211;<\/p>\n<ul>\n<li>EggStremeFuel, a lightweight backdoor that&#8217;s equipped to download\/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration.<\/li>\n<li>EggStremeLoader, another component of the EggStreme malware framework that&#8217;s launched by EggStremeFuel. It supports 59 backdoor commands to support extensive data theft. This includes a variant that facilitates file download\/upload over Dropbox.<\/li>\n<li>MASOL RAT (aka Backdr-NQ), a remote access trojan with file download\/upload and arbitrary command execution features.<\/li>\n<li>TrackBak, an information stealer that collects logs, clipboard data, network information, and files from drives.<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEje12MdP1Gu0sccHYx7WTYX7iKP4whJFQEHhZgQWZfcFXLmB9riw82Ohi4jcg7k0ulsb1as8Pdv1PuFqDxXDoFbfLoZOhbCDL88ACw-yKbd8l2L6U9_VxpK8eiOe1fjBpWB_BzsjbPhxtzqyezArWQ-FwgFd3tOkTExrD_8bLMzTPg9OsH4SGeqPKutCrTu\/s1700-e365\/EggStreme.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEje12MdP1Gu0sccHYx7WTYX7iKP4whJFQEHhZgQWZfcFXLmB9riw82Ohi4jcg7k0ulsb1as8Pdv1PuFqDxXDoFbfLoZOhbCDL88ACw-yKbd8l2L6U9_VxpK8eiOe1fjBpWB_BzsjbPhxtzqyezArWQ-FwgFd3tOkTExrD_8bLMzTPg9OsH4SGeqPKutCrTu\/s1700-e365\/EggStreme.png\" alt=\"\" border=\"0\" data-original-height=\"700\" data-original-width=\"1431\"\/><\/a><\/div>\n<p>The activity linked to CL-STA-1049, on the other hand, involves the use of a novel DLL loader called Hypnosis Loader, which is launched via DLL side-loading, to ultimately install FluffyGh0st RAT. The exact initial access vector used by CL-STA-1048 and CL-STA-1049 remains unclear.<\/p>\n<p>\u00abThe convergence of these activity clusters, all of which show links to known China-aligned actors, points to a coordinated effort to achieve a common strategic goal,\u00bb Unit 42 said. \u00abThe attackers&#8217; methodology indicates they intended to gain long-term, persistent access to sensitive government networks, not just to cause disruption.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 30, 2026Threat Intelligence \/ Network Intrusion Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described&hellip;<\/p>\n","protected":false},"author":1,"featured_media":428,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[100,6,479,956,233,385,593,492],"class_list":["post-427","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-asian","tag-campaign","tag-chinalinked","tag-clusters","tag-cyber","tag-government","tag-southeast","tag-target"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=427"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/427\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/428"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}