Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a “complex and well-resourced operation.”
The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT, PoshRAT, TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st.
The activity has been attributed to the following clusters –
- June – August 2025: Mustang Panda (aka Stately Taurus).
- March – September 2025: CL-STA-1048, which overlaps with clusters publicly documented under the monikers Earth Estries and Crimson Palace.
- April and August 2025 – CL-STA-1049, which overlaps with a publicly documented cluster known as Unfading Sea Haze.
| Activity timeline |
“These activity clusters overlap with publicly reported campaigns aimed at establishing persistent access,” Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara said. “Significant overlap in tactics, techniques, and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest, potentially coordinating their effort.”
 |
| Infection chain of CL-STA-1048 26m |
The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader. The threat actor’s first recorded use of Claimloader dates back to late 2022 in attacks targeting government organizations in the Philippines.
Additional analysis of the victim network has uncovered the deployment of COOLCLIENT, another known backdoor attributed to Mustang Panda for more than three years. It supports file download/upload, keystroke recording, packet tunneling, and port map information capture.
The tools used by CL-STA-1048 vary as they are noisy –
- EggStremeFuel, a lightweight backdoor that’s equipped to download/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration.
- EggStremeLoader, another component of the EggStreme malware framework that’s launched by EggStremeFuel. It supports 59 backdoor commands to support extensive data theft. This includes a variant that facilitates file download/upload over Dropbox.
- MASOL RAT (aka Backdr-NQ), a remote access trojan with file download/upload and arbitrary command execution features.
- TrackBak, an information stealer that collects logs, clipboard data, network information, and files from drives.
The activity linked to CL-STA-1049, on the other hand, involves the use of a novel DLL loader called Hypnosis Loader, which is launched via DLL side-loading, to ultimately install FluffyGh0st RAT. The exact initial access vector used by CL-STA-1048 and CL-STA-1049 remains unclear.
“The convergence of these activity clusters, all of which show links to known China-aligned actors, points to a coordinated effort to achieve a common strategic goal,” Unit 42 said. “The attackers’ methodology indicates they intended to gain long-term, persistent access to sensitive government networks, not just to cause disruption.”