Multiple China-Linked Groups Target Southeast Asian Government in Coordinated Operation
Cybersecurity researchers have uncovered a large-scale cyber espionage campaign targeting a government organization in Southeast Asia. The operation appears to involve multiple threat groups with ties to China, working in parallel to gain long-term access to sensitive systems.
Investigators describe the campaign as highly organized and well-funded, with overlapping tactics suggesting a shared objective rather than isolated attacks.
Several Threat Groups Operating at the Same Time
The activity has been linked to three main clusters:
- Mustang Panda (active between June and August 2025)
- A cluster tracked as CL-STA-1048, associated with previously known campaigns like Earth Estries and Crimson Palace
- Another cluster, CL-STA-1049, connected to activity known as Unfading Sea Haze
The timelines of these campaigns overlap, indicating a coordinated effort to maintain access to the same target environment.
Wide Range of Malware Deployed
Attackers used multiple malware tools to infiltrate and maintain control over the network. Some of the key malware families identified include:
- HIUPAN (USB-based malware)
- PUBLOAD backdoor
- EggStremeFuel and EggStremeLoader
- MASOL RAT
- TrackBak information stealer
- Hypnosis Loader
- FluffyGh0st RAT
This variety of tools allowed attackers to perform different tasks, from data theft to remote system control.
USB Malware and Backdoor Deployment
One of the groups, Mustang Panda, relied on USB-based malware to gain initial access. The HIUPAN tool was used to spread a backdoor known as PUBLOAD through a malicious DLL component.
This method is particularly effective in restricted environments where internet-based attacks are harder to execute.
Further analysis also revealed the use of COOLCLIENT, another backdoor linked to the same group. It enables attackers to:
- Transfer files
- Record keystrokes
- Monitor network traffic
- Gather system information
Advanced Tools for Data Theft and Remote Access
The second cluster, CL-STA-1048, deployed a set of tools designed for deep system control and data extraction.
These include:
- EggStremeFuel, a lightweight backdoor for file transfer and remote shell access
- EggStremeLoader, which supports dozens of commands for extended control
- MASOL RAT, allowing attackers to execute commands remotely
- TrackBak, which collects sensitive data such as clipboard content and network details
Some variants even used cloud services like Dropbox to move stolen data.
Stealth Loader and RAT Deployment
The third cluster, CL-STA-1049, used a different approach. It relied on a newly identified tool called Hypnosis Loader, which is executed through DLL side-loading techniques.
This method ultimately installs FluffyGh0st RAT, giving attackers persistent remote access to the compromised system.
The exact entry point for these attacks is still unknown, but the techniques suggest careful planning and stealth.
Goal: Long-Term Access, Not Quick Disruption
Researchers believe the attackers were not aiming for immediate damage. Instead, their focus was on quietly maintaining access over time.
The consistent use of stealth techniques, multiple malware tools, and overlapping campaigns points to a long-term espionage strategy.
Final Takeaway
This campaign highlights how advanced threat groups are evolving. Rather than relying on a single method, attackers are combining multiple tools and strategies to ensure they remain inside target networks for as long as possible.
Organizations, especially in government sectors, need to strengthen monitoring, restrict USB usage, and watch for unusual system behavior to defend against this level of coordinated activity.