INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

China-Linked Groups Target Southeast Asian Government with Advanced Malware

| 2026-03-30 18:05 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat landscape is increasingly dominated by China-linked groups, with a focus on sophisticated cyber campaigns that exploit advanced malware families. These groups have been linked to multiple attacks across Southeast Asia in 2025 and earlier years, including the targeting of governments with PUBLOAD malware and the deployment of complex, well-funded operations. The use of tactics such as tooling and methods links these groups to China-affiliated activity, highlighting a potential coordination between them.
Technical Mitigations AI-generated
* Use of secure boot and UEFI firmware: Ensure that the system's UEFI firmware is set to use secure boot, which can help prevent malware from loading during startup. * Regularly update operating systems and software: Keep the operating system and all software up-to-date with the latest security patches and updates to ensure that any known vulnerabilities are addressed. * Implement a firewall and intrusion detection/prevention (IDP) system: Configure a firewall and IDP system to detect and block suspicious activity, such as unusual network traffic or unauthorized access attempts. * Use antivirus software and keep it up-to-date: Install and regularly update antivirus software that is specifically designed for your operating system and has been tested against known malware threats.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Salt TyphoonSalt TyphoonMustang PandaMustang Panda HIUPANHIUPANCrimsonCrimsonPUBLOADPUBLOAD
Target & Sectors
APAC APAC
Incident Timeline
June 1, 2025
USBFect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement and automatically installs malicious components.
attribution Stately Taurus
“On June 1, 2025, we detected PUBLOAD activity attributed to Stately Taurus across multiple endpoints at a government entity in Southeast Asia.” continues the report.
malware PUBLOAD
“On June 1, 2025, we detected PUBLOAD activity attributed to Stately Taurus across multiple endpoints at a government entity in Southeast Asia.” continues the report.
source_region APAC
“On June 1, 2025, we detected PUBLOAD activity attributed to Stately Taurus across multiple endpoints at a government entity in Southeast Asia.” continues the report.
organisation EVENT.dll
USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement.” USBFect, a worm closely related to the previously documented HIUPAN family, enabled the malware to spread laterally across multiple endpoints, automatically installing malicious components such as EVENT.dll and using ClaimLoader to decrypt and execute shellcode in memory.
organisation USBfect
USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement.” USBFect, a worm closely related to the previously documented HIUPAN family, enabled the malware to spread laterally across multiple endpoints, automatically installing malicious components such as EVENT.dll and using ClaimLoader to decrypt and execute shellcode in memory.
organisation ClaimLoader
USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement.” USBFect, a worm closely related to the previously documented HIUPAN family, enabled the malware to spread laterally across multiple endpoints, automatically installing malicious components such as EVENT.dll and using ClaimLoader to decrypt and execute shellcode in memory.
organisation USB
“Our investigation found the origin of this activity was likely a USB drive containing  USBFect .
August 15, 2025
Threat actors used a newly discovered advanced malware to target government entities in Southeast Asia.
August 2025
China-linked groups used PUBLOAD malware propagated via USBFect-infected drives to target a Southeast Asian government in 2025.
threat_actor Mustang Panda
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
In 2025, the China-linked threat group Stately Taurus, also known as Mustang Panda, carried out a targeted cyber campaign against a Southeast Asian government, primarily leveraging PUBLOAD malware propagated via USBFect-infected drives.
malware Crimson
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
threat_actor Salt Typhoon
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
organisation CL-STA-1049
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
organisation SecurityAffairs
“Their primary goal was to continuously locate and exfiltrate data, as evidenced by the deployment of infostealers and comprehensive backdoors.” Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, China-linked groups)
organisation CoolClient
In addition to PUBLOAD operations, the investigation identified activity associated with CoolClient loaders, which employed advanced anti-disassembly techniques to evade analysis and relied on the HP-Socket library to maintain a flexible, multi-protocol client/server connection.
organisation HP-Socket
In addition to PUBLOAD operations, the investigation identified activity associated with CoolClient loaders, which employed advanced anti-disassembly techniques to evade analysis and relied on the HP-Socket library to maintain a flexible, multi-protocol client/server connection.
organisation Stately Taurus
Together with PUBLOAD, CoolClient shows that Stately Taurus carefully planned the attack, keeping access to the systems, using multiple tools, and staying connected to important targets throughout the campaign.
organisation EggStreme Loader
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak.
organisation TrackBak
The researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak.
organisation EggStreme
Masol RAT and EggStreme Loader provided backdoor access, keylogging, and in-memory payload execution, while TrackBak stole keystrokes, clipboard data, and network info.
organisation Palo alto Networks
reads the report published by Palo alto Networks.
organisation Cluster CL-STA-1049
Cluster CL-STA-1049 used a stealthy “Hypnosis” DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable.
organisation DLL
Cluster CL-STA-1049 used a stealthy “Hypnosis” DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable.
organisation CL-STA-1048’s
These well-resourced adversaries used diverse tool sets, including Stately Taurus’s USB propagation, CL-STA-1048’s multi-payload strategy and CL-STA-1049’s stealthy FluffyGh0st RAT.” concludes the report.
organisation CL-STA-1049’s
These well-resourced adversaries used diverse tool sets, including Stately Taurus’s USB propagation, CL-STA-1048’s multi-payload strategy and CL-STA-1049’s stealthy FluffyGh0st RAT.” concludes the report.
mid-August 2025
PUBLOAD exploited a vulnerability in TCP to exfiltrate sensitive data from targeted government entities.
malware PUBLOAD
PUBLOAD collected and exfiltrated critical system information, including volume details, computer names, usernames, and system tick counts, over TCP with obfuscated TLS-like headers, and remained active on infected endpoints until mid-August 2025.
organisation TCP
PUBLOAD collected and exfiltrated critical system information, including volume details, computer names, usernames, and system tick counts, over TCP with obfuscated TLS-like headers, and remained active on infected endpoints until mid-August 2025.
September 2025
Threat actors used a cluster of advanced malware, CL-STA-1049, to target the Unfading Sea Haze government in Southeast Asia.
threat_actor Mustang Panda
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
malware Crimson
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
threat_actor Salt Typhoon
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
organisation CL-STA-1049
According to three Palo Alto researchers, the cyber activity in 2025 has been linked to three clusters: Mustang Panda (Stately Taurus) active between June and August; CL-STA-1048, overlapping with Earth Estries (aka Salt Typhoon ) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze , active in April and August 2025.
Mar 30, 2026
Threat actors used a newly discovered advanced malware to target government entities in Southeast Asia.
30, 2026
Threat actors used China's advanced malware to target a government organization in Southeast Asia.
target_region China
 Ravie Lakshmanan  Mar 30, 2026 Threat Intelligence / Network Intrusion Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a "complex and well-resourced operation.
target_region APAC
 Ravie Lakshmanan  Mar 30, 2026 Threat Intelligence / Network Intrusion Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a "complex and well-resourced operation.
attribution Threat Intelligence / Network Intrusion
 Ravie Lakshmanan  Mar 30, 2026 Threat Intelligence / Network Intrusion Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a "complex and well-resourced operation.
June - August 2025
Threat actors used a custom-built, zero-day exploit to target the government of Southeast Asia in June-August 2025.
threat_actor Mustang Panda
The activity has been attributed to the following clusters - June - August 2025: Mustang Panda (aka Stately Taurus).
organisation Stately Taurus
The activity has been attributed to the following clusters - June - August 2025: Mustang Panda (aka Stately Taurus).
March - September 2025
Threat actors used CL-STA-1048, an advanced malware, to target government entities in Southeast Asia.
malware Crimson
March - September 2025: CL-STA-1048, which overlaps with clusters publicly documented under the monikers Earth Estries and Crimson Palace .
organisation Earth Estries
March - September 2025: CL-STA-1048, which overlaps with clusters publicly documented under the monikers Earth Estries and Crimson Palace .
April and August 2025 - CL-STA-1049
Threat actors used a newly discovered advanced malware, CL-STA-1049, to target government entities in Southeast Asia.
between June 1 and August 15, 2025
Threat actors used a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader.
threat_actor Mustang Panda
" Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader .
malware PUBLOAD
" Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader .
malware HIUPAN
" Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader .
organisation USB
" Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader .
organisation DLL
" Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader .
organisation Infection
" Infection chain of CL-STA-1048 26m The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader .
2026-03-30
China-Linked groups deployed advanced malware targeting a Southeast Asian government in 2025.
threat_actor Mustang Panda
Additional analysis of the victim network has uncovered the deployment of COOLCLIENT, another known backdoor attributed to Mustang Panda for more than three years.
organisation CoolClient
Additional analysis of the victim network has uncovered the deployment of COOLCLIENT, another known backdoor attributed to Mustang Panda for more than three years.
organisation Hypnosis Loader
Threat actors deployed numerous malware types, including HIUPAN , PUBLOAD , EggStremeFuel/Loader, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st , showing advanced tactics and persistent access to sensitive systems.
The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD , EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT , PoshRAT , TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st .
organisation MISTCLOAK
The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD , EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT , PoshRAT , TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st .
organisation U2DiskWatch
The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD , EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT , PoshRAT , TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st .
organisation RawCookie
The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD , EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT , PoshRAT , TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st .
organisation TrackBak
TrackBak, an information stealer that collects logs, clipboard data, network information, and files from drives.
organisation EggStreme
The tools used by CL-STA-1048 vary as they are noisy - EggStremeFuel, a lightweight backdoor that's equipped to download/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration. EggStremeLoader, another component of the EggStreme malware framework that's launched by EggStremeFuel.
organisation IP
The tools used by CL-STA-1048 vary as they are noisy - EggStremeFuel, a lightweight backdoor that's equipped to download/upload files, enumerate files and directories, start or terminate a reverse shell, send the current global IP address, and update the C2 configuration. EggStremeLoader, another component of the EggStreme malware framework that's launched by EggStremeFuel.
organisation Palo Alto Networks Unit
Activity timeline "These activity clusters overlap with publicly reported campaigns aimed at establishing persistent access," Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara said .
organisation CL-STA-1049
The activity linked to CL-STA-1049, on the other hand, involves the use of a novel DLL loader called Hypnosis Loader, which is launched via DLL side-loading, to ultimately install FluffyGh0st RAT.
organisation MASOL
MASOL RAT (aka Backdr-NQ), a remote access trojan with file download/upload and arbitrary command execution features.
organisation Backdr-NQ
MASOL RAT (aka Backdr-NQ), a remote access trojan with file download/upload and arbitrary command execution features.
Intelligence Sources
The Hacker News 2026-03-30
Security Affairs 2026-03-30