Three China-linked activity clusters targeted a government organization in Southeast Asia in 2025 in a campaign that deployed multiple malware families, according to a technical analysis from Palo Alto Networks Unit 42. The report says the activity centered on persistent access and involved clusters tracked as Mustang Panda, CL-STA-1048, and CL-STA-1049.
KEY FACTS
- Target A government organization in Southeast Asia.
- Timeframe Activity ran from March through September 2025.
- Clusters The campaigns were linked to Mustang Panda, CL-STA-1048 and CL-STA-1049.
- Malware The operation used HIUPAN, PUBLOAD, EggStremeFuel, EggStremeLoader, MASOL RAT, TrackBak, Hypnosis Loader and FluffyGh0st.
The report says Mustang Panda activity between June 1 and Aug. 15, 2025 used a USB-based tool called HIUPAN to deliver the PUBLOAD backdoor through a rogue DLL named Claimloader. Researchers said the same victim network also contained COOLCLIENT, a backdoor that can download and upload files, record keystrokes, tunnel packets and capture port map data.
CL-STA-1048, tracked from March to September 2025, used a different set of tools, including EggStremeFuel and EggStremeLoader. The latter supports 59 backdoor commands and includes a variant for file transfer through Dropbox, while MASOL RAT and TrackBak were used for remote access and information theft.
CL-STA-1049 activity in April and August 2025 involved Hypnosis Loader, a DLL loader launched through DLL side-loading, which installed FluffyGh0st RAT. The initial access method for CL-STA-1048 and CL-STA-1049 remains unclear, according to the report.
The analysis said the three clusters overlap in tactics and targets and may reflect a coordinated effort tied to known China-aligned actors. It also said the campaigns appear designed to maintain long-term access to sensitive government networks rather than to cause immediate disruption.
WHY IT MATTERS
The activity shows how multiple intrusion sets can be used in parallel against the same target, complicating detection and attribution. Persistent access to government networks can expose sensitive data and create a base for future espionage operations.