A coordinated cyber campaign targeting a Southeast Asian government organization has been attributed to three distinct threat activity clusters with ties to China, raising concerns about escalating state-sponsored espionage in the region. The operation, which unfolded throughout 2025, involved the deployment of a sophisticated arsenal of malware designed to establish long-term, persistent access to sensitive networks. This complex undertaking underscores a growing trend of increasingly resourceful and coordinated cyberattacks originating from China, according to researchers at Palo Alto Networks’ Unit 42.
The attacks, detected between April and September 2025, leveraged a variety of malware families, including HIUPAN (also known as USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT, PoshRAT, TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st. The breadth of tools employed suggests a deliberate effort to maintain access even if initial intrusion methods were detected, and blocked. The targeted government organization has not been publicly identified, but the scale and sophistication of the campaign indicate a focus on strategic intelligence gathering.
Attribution of the attacks has been linked to three groups: Mustang Panda (aka Stately Taurus), active between June and August 2025; CL-STA-1048, operating from March to September 2025, which overlaps with previously documented activity from Earth Estries and Crimson Palace; and CL-STA-1049, active in April and August 2025, which shares characteristics with the Unfading Sea Haze cluster. The overlapping activity suggests a degree of coordination or shared resources among these groups, potentially indicating a unified strategic objective, Unit 42 researchers reported.
Mustang Panda’s USB-Based Approach
The Mustang Panda cluster utilized a particularly notable tactic: the deployment of HIUPAN malware via USB drives to deliver the PUBLOAD backdoor through a malicious DLL named Claimloader. This method, relying on physical media, bypasses many traditional network security measures. Researchers first observed the use of Claimloader in attacks targeting government organizations in the Philippines in late 2022, according to a report from LAC Co., Ltd.. The continued use of this technique demonstrates its effectiveness and persistence within this threat actor’s toolkit.
Beyond HIUPAN and PUBLOAD, analysis of the compromised network revealed the presence of COOLCLIENT, a backdoor attributed to Mustang Panda for over three years. COOLCLIENT provides a range of capabilities, including file transfer, keystroke logging, packet tunneling, and network mapping, further solidifying the attackers’ ability to maintain a foothold within the system.
CL-STA-1048: A Noisy but Effective Toolkit
The CL-STA-1048 cluster employed a more diverse and, according to Unit 42, “noisy” set of tools. This included EggStremeFuel, a lightweight backdoor capable of file manipulation and remote shell access; EggStremeLoader, a component of the EggStreme framework offering extensive data theft capabilities, including Dropbox integration; MASOL RAT, a remote access trojan; and TrackBak, an information stealer designed to harvest logs, clipboard data, and files. The use of multiple tools suggests an attempt to maximize data exfiltration and maintain access even if some tools are detected.
CL-STA-1049 and the Hypnosis Loader
The CL-STA-1049 cluster distinguished itself through the use of a novel DLL loader called Hypnosis Loader, deployed via DLL side-loading to install the FluffyGh0st RAT. While the initial access vector remains unclear, the use of this loader highlights the group’s technical sophistication and ability to adapt to evolving security measures. DLL side-loading is a technique that allows attackers to inject malicious code into legitimate processes, making detection more difficult.
“The convergence of these activity clusters, all of which show links to known China-aligned actors, points to a coordinated effort to achieve a common strategic goal,” Unit 42 stated. “The attackers’ methodology indicates they intended to gain long-term, persistent access to sensitive government networks, not just to cause disruption.”
Implications and Future Outlook
The coordinated nature of these attacks, coupled with the overlapping tactics and tools, suggests a deliberate and well-resourced campaign aimed at achieving sustained intelligence gathering within the targeted Southeast Asian nation. The use of diverse malware families and sophisticated techniques underscores the evolving threat landscape and the need for robust cybersecurity defenses. The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) highlighted the significance of this coordinated activity in a recent analysis, emphasizing the challenges of attribution and the importance of information sharing.
Looking ahead, cybersecurity professionals in the region should anticipate continued targeting from China-linked threat actors. Strengthening network defenses, implementing robust endpoint detection and response (EDR) systems, and enhancing employee cybersecurity awareness training are crucial steps in mitigating the risk of future attacks. The next official report from Unit 42 detailing further analysis of these campaigns is expected in late April 2026.
What are your thoughts on this evolving threat landscape? Share your insights and concerns in the comments below.
