A recent investigation has unveiled a sophisticated cyber espionage campaign aimed at a government body in Southeast Asia. The attackers employed an array of methods, including USB-spread malware, remote access trojans (RATs), and data-stealing tools, to infiltrate and maintain access to sensitive systems.
Coordinated Attack Linked to Chinese Threat Actors
This operation was active from June to August 2025, featuring three distinct clusters of malicious activity within the same network, each exhibiting strong ties to groups aligned with China. Despite utilizing different tools, all clusters appeared to share the objective of continuous access to high-value government data.
The first cluster was linked to Stately Taurus, a notorious threat actor using a USB worm known as USBFect, also referred to as HIUPAN, to deploy the PUBLOAD backdoor across government systems. Another cluster, identified as CL-STA-1048, employed tools like the EggStremeFuel backdoor, Masol RAT, EggStreme Loader, Gorem RAT, and the data theft tool TrackBak.
Advanced Toolkits and Persistent Access
The third cluster, labeled CL-STA-1049, adopted a more covert approach with a newly discovered loader called Hypnosis, used to deploy the FluffyGh0st RAT. Researchers from Unit 42 observed these clusters operating simultaneously, emphasizing their shared goal of maintaining prolonged access to the same government target.
Unit 42’s analysis outlines the connections and tools employed by these clusters, highlighting their links to previously identified threat groups. The convergence of three China-related clusters against a singular target underscores a well-resourced and organized operation.
Implications and Defense Strategies
The campaign’s potential damage extends beyond data theft, incorporating keyloggers, clipboard stealers, and reverse shells to monitor government operations comprehensively. TrackBak, used by CL-STA-1048, disguised itself as a Microsoft Edge log file, silently capturing keystrokes, clipboard data, and more.
USBFect’s unique use of USB-based infection allowed it to spread silently across government systems. The malware copies itself onto newly inserted drives, facilitating its spread to other machines while masquerading its files as legitimate system components.
Organizations safeguarding sensitive government information should implement stringent USB access controls, disable AutoRun for removable devices, and monitor for unusual DLL loading activities. Proactive behavioral detection and updated endpoint monitoring are crucial to intercept these threats before they cause significant harm.
Stay connected for more updates on cybersecurity developments by following us on Google News, LinkedIn, and X, and marking CSN as a preferred news source on Google.
