Ethical Hacking News
In 2025, China-linked threat actors launched a complex cyber campaign targeting a Southeast Asian government, deploying multiple malware families and tools to gain persistent access to sensitive systems. The attack, attributed to three clusters of threat actors - Stately Taurus, CL-STA-1048, and CL-STA-1049 - showcased advanced tactics, techniques, and procedures (TTPs) employed by the threat actors to evade detection and maintain control over the targeted systems.
Researchers uncovered a complex cyber campaign by China-linked threat groups against a Southeast Asian government in 2025.Three clusters of threat actors, Stately Taurus, CL-STA-1048, and CL-STA-1049, targeted the government entity, suggesting potential coordination between the groups.Stately Taurus used PUBLOAD malware to spread laterally across multiple endpoints, while CL-STA-1048 deployed multiple espionage tools.CL-STA-1049 used a stealthy "Hypnosis" DLL loader to deploy FluffyGh0st RAT, demonstrating advanced persistence and espionage capabilities.The attackers aimed to gain long-term, persistent access to sensitive government networks rather than causing disruption.
In a recent report published by Palo Alto Networks, researchers have uncovered a complex and sophisticated cyber campaign carried out by China-linked threat groups against a Southeast Asian government in 2025. The campaign, which involved the deployment of multiple malware families, showcased advanced tactics, techniques, and procedures (TTPs) employed by the threat actors to gain persistent access to sensitive systems.
The report revealed that three clusters of threat actors, identified as Stately Taurus, CL-STA-1048, and CL-STA-1049, targeted the government entity in Southeast Asia. These clusters were found to overlap with publicly reported campaigns aimed at establishing persistent access, suggesting a common target of interest and potential coordination between the groups.
Stately Taurus, also known as Mustang Panda, was identified as the primary threat actor responsible for the campaign. The group leveraged PUBLOAD malware propagated via USBFect-infected drives to spread laterally across multiple endpoints within the government entity. This worm allowed the malware to automatically install malicious components and decrypt shellcode in memory.
The researchers observed that PUBLOAD collected and exfiltrated critical system information, including volume details, computer names, usernames, and system tick counts, over TCP with obfuscated TLS-like headers. The malware remained active on infected endpoints until mid-August 2025, indicating a prolonged presence within the targeted systems.
In addition to PUBLOAD operations, the investigation identified activity associated with CoolClient loaders, which employed advanced anti-disassembly techniques to evade analysis and relied on the HP-Socket library to maintain a flexible, multi-protocol client/server connection. CoolClient was found to upload and delete files, route network traffic, record keystrokes, and send port information, demonstrating its use in collecting data and moving through the network.
The CL-STA-1048 cluster deployed multiple espionage tools against the government entity, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak. These tools provided backdoor access, keylogging, and in-memory payload execution, as well as stolen keystrokes, clipboard data, and network information.
Cluster CL-STA-1049 used a stealthy "Hypnosis" DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable. The loader injected itself, maintained execution, decrypted, and loaded the final payload, which communicated with attacker-controlled C2 domains. FluffyGh0st enabled remote control and plugin-based functionality, showcasing advanced persistence and espionage capabilities.
The researchers concluded that the attackers' methodology indicated their intention to gain long-term, persistent access to sensitive government networks, rather than causing disruption. The use of diverse tool sets by the threat actors, including Stately Taurus's USB propagation, CL-STA-1048's multi-payload strategy, and CL-STA-1049's stealthy FluffyGh0st RAT, demonstrated their advanced capabilities.
The deployment of multiple malware families and tools by China-linked threat groups against a Southeast Asian government highlights the evolving landscape of cyber threats. The sophistication and persistence of these attacks underscore the need for robust cybersecurity measures and incident response strategies to mitigate the impact of such campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/Advanced-Malware-Campaigns-Target-Southeast-Asian-Government-A-Complex-Web-of-China-Linked-Threat-Actors-ehn.shtml
Published: Mon Mar 30 15:48:16 2026 by llama3.2 3B Q4_K_M
