Unit 42 uncovers multiple clusters of cyberespionage targeting a Southeast Asian government organization with USBFect, RATs and loaders.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers detail a persistent cyberespionage campaign targeting a Southeast Asian government organization between June and August 2025. Three distinct China-aligned threat clusters operated simultaneously against the same target: Stately Taurus used USB-propagated USBFect/HIUPAN malware to deploy the PUBLOAD backdoor via ClaimLoader; CL-STA-1048 deployed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, EggStreme Loader (delivering Gorem RAT with keylogging), and a novel infostealer named TrackBak; CL-STA-1049 used a novel DLL sideloading loader called Hypnosis to deploy FluffyGh0st RAT, linked to Unfading Sea Haze and Crimson Palace. The convergence of these clusters, each with distinct tooling but overlapping TTPs with known China-affiliated actors like Earth Estries and Crimson Palace, suggests coordinated strategic targeting for long-term persistent access and data exfiltration. Full IOCs including SHA256 hashes, IP addresses, and C2 domains are provided.

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

CL-STA-1049 - Stealthy Loader and FluffyGh0st RAT Deployment