Unit 42 researchers detail a persistent cyberespionage campaign targeting a Southeast Asian government organization between June and August 2025. Three distinct China-aligned threat clusters operated simultaneously against the same target: Stately Taurus used USB-propagated USBFect/HIUPAN malware to deploy the PUBLOAD backdoor via ClaimLoader; CL-STA-1048 deployed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, EggStreme Loader (delivering Gorem RAT with keylogging), and a novel infostealer named TrackBak; CL-STA-1049 used a novel DLL sideloading loader called Hypnosis to deploy FluffyGh0st RAT, linked to Unfading Sea Haze and Crimson Palace. The convergence of these clusters, each with distinct tooling but overlapping TTPs with known China-affiliated actors like Earth Estries and Crimson Palace, suggests coordinated strategic targeting for long-term persistent access and data exfiltration. Full IOCs including SHA256 hashes, IP addresses, and C2 domains are provided.
Table of contents
Executive SummarySoutheast Asian Government TargetingStately Taurus - PUBLOAD ActivityCL-STA-1048 - Espionage ToolkitCL-STA-1049 - Stealthy Loader and FluffyGh0st RAT DeploymentConclusionIndicators of CompromiseAdditional ResourcesSort: