China-aligned clusters conduct coordinated Southeast Asian government intrusion campaign with multi-stage malware toolkits

Timeline

1. 30.03.2026 10:00 1 articles · 3h ago

   China-linked clusters launch multi-cluster intrusion against Southeast Asian government using staged malware toolkits (2025)

   Between March and September 2025, Mustang Panda, CL-STA-1048, and CL-STA-1049 conducted a coordinated intrusion campaign against a Southeast Asian government organization. Mustang Panda (June–August) used HIUPAN and Claimloader to deliver PUBLOAD and COOLCLIENT backdoors. CL-STA-1048 deployed EggStremeFuel/Loader, MASOL RAT, PoshRAT, and TrackBak Stealer during March–September overlaps with Earth Estries and Crimson Palace clusters. CL-STA-1049 leveraged Hypnosis Loader for DLL side-loading to install FluffyGh0st RAT in April and August. TTPs indicate shared objectives focused on long-term persistence and strategic intelligence collection.

   Show sources

   • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00

   Open in new tab

Information Snippets

• Mustang Panda operated between June 1 and August 15, 2025, using HIUPAN (USBFect/M2CLOAK/U2DiskWatch) delivered via a rogue DLL named Claimloader to deploy the PUBLOAD backdoor. Claimloader was previously used by Mustang Panda in late 2022 against Philippine government targets.

  First reported: 30.03.2026 10:00
  1 source, 1 article
  Show sources

  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00

• CL-STA-1048 activity overlapped with Earth Estries and Crimson Palace clusters and deployed EggStremeFuel (RawCookie), EggStremeLoader (Gorem RAT), MASOL RAT (Backdr-NQ), PoshRAT, and TrackBak Stealer across victim networks.

  First reported: 30.03.2026 10:00
  1 source, 1 article
  Show sources

  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00

• EggStremeFuel functions as a lightweight backdoor supporting file transfer, reverse shell initiation, global IP exfiltration, and C2 configuration updates. EggStremeLoader executes 59 commands including Dropbox-based data theft.

  First reported: 30.03.2026 10:00
  1 source, 1 article
  Show sources

  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00

• CL-STA-1049 utilized a novel DLL loader named Hypnosis Loader, launched via DLL side-loading, to install the FluffyGh0st RAT during April and August 2025 operations.

  First reported: 30.03.2026 10:00
  1 source, 1 article
  Show sources

  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00

• TrackBak Stealer collects logs, clipboard data, network information, and files from drives, while COOLCLIENT (attributed to Mustang Panda) enables packet tunneling, port mapping, and keystroke logging.

  First reported: 30.03.2026 10:00
  1 source, 1 article
  Show sources

  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00

• The campaign’s TTPs show strong alignment with known China-aligned intrusion sets, suggesting coordination to establish long-term persistent access rather than short-term disruption.

  First reported: 30.03.2026 10:00
  1 source, 1 article
  Show sources

  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00