Back to News
News

China-linked Cyberespionage Strikes Southeast Asian Government with Multiple RATs

CyberSecurityWaala 2 weeks ago Mar 30, 2026
China-linked Cyberespionage Strikes Southeast Asian Government with Multiple RATs

Palo Alto Networks Unit 42 uncovered a coordinated cyberespionage campaign that hit a Southeast Asian government between June and August 2025. The operation involved at least three China-linked activity clusters. Unit 42 said the campaign was complex and well-resourced.

What Unit 42 found

Unit 42 researchers Doel Santos and Hiroaki Hara tracked activity they attribute to Mustang Panda, plus two clusters they label CL-STA-1048 and CL-STA-1049.

The researchers wrote that ‘these activity clusters overlap with publicly reported campaigns aimed at establishing persistent access.’ The clusters used distinct toolsets, but they worked toward the same goal: long-term access to sensitive government networks.

How the attackers gained access

One cluster relied on USB propagation. Unit 42 found a worm family called USBFect, which researchers say is the same as HIUPAN that Trend Micro documented in 2024. USBFect spread via removable drives and dropped ClaimLoader to load the PUBLOAD backdoor in memory. Cisco Talos first documented PUBLOAD in 2022, and Unit 42 observed PUBLOAD variants using TCP for command and control.

Another cluster used noisy, multi-payload toolkits. Unit 42 observed EggStremeFuel, EggStremeLoader, Masol RAT, TrackBak stealer, and related tools. EggStremeFuel stores encrypted C2 settings in a Cookies.dat file and uses RC4 for session encryption, Unit 42 said. Masol RAT has an HTTP-based command channel and AES-encrypted POSTs, a technique Sophos and Trend Micro reported previously.

Stealthy loaders and RATs

A third cluster used DLL sideloading. Unit 42 named a novel loader, Hypnosis loader. It was sideloaded via a legitimate Bitdefender executable to install FluffyGh0st RAT. Bitdefender and Sophos have both tracked FluffyGh0st or related Gh0st RAT derivatives in prior China-affiliated campaigns. Unit 42 linked network telemetry for the final payload to domains that were likely abused as C2 endpoints.

What the malware did

The toolset shows classic espionage features. Unit 42 noted backdoors performed file upload and download, remote shell execution, keylogging, clipboard capture, and network enumeration.

CoolClient provided tunneling and port mapping, USBFect enabled removable media spread, and Gorem RAT delivered a user-mode keylogger and more than 50 backdoor commands, Unit 42 said. TrackBak acted as an infostealer that collected logs, clipboard data, and files for exfiltration.

Why attribution matters

Unit 42 tied the activity to known China-aligned campaigns through shared tactics, techniques and procedures, and overlapping tooling. The researchers warned that Chinese threat actors often reuse or share malware, so exact group boundaries can blur. Unit 42 stated, ‘The convergence of these activity clusters, all of which show links to known China-aligned actors, points to a coordinated effort to achieve a common strategic goal.’

How defenders can respond

Unit 42 and other vendors recommend defenders monitor for USB propagation behaviors, DLL sideloading, and unusual C2 patterns. Palo Alto Networks highlighted protections within its Advanced WildFire, Cortex XDR, and URL and DNS filtering products. Trend Micro, Bitdefender, Sophos, and Cisco Talos have published detection notes and indicators that defenders can apply, Unit 42 said.

In short, the operation used multiple proven techniques. The attackers sought persistence and data access. The level of coordination and tooling variety shows this was not opportunistic noise. It was sustained espionage aimed at a high-value target, Unit 42 concluded.

#cybersecurity #cyberespionage #malware #Unit42 #threatintel #infosec

#Malware #Threat Intelligence