Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government
Essential information
- Published
- 27/03/2026 02:01
- Modified
- 27/03/2026 09:29
- Tags
- 2026-03-27 backdoor cl-sta-1048 cl-sta-1049 claimloader coolclient eggstremefuel fluffygh0st gorem hypnosis loader masol pubload stately taurus usbfect
- Related entities
- 1 vulnerabilities (cve), 34 observables, 19 techniques (mitre), 10 malware, 9 others
Description
Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.