216.73.217.22

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

· Published 27/03/2026 02:01 · Modified 27/03/2026 09:29

Export JSON

Essential information

Published
27/03/2026 02:01
Modified
27/03/2026 09:29
Tags
2026-03-27 backdoor cl-sta-1048 cl-sta-1049 claimloader coolclient eggstremefuel fluffygh0st gorem hypnosis loader masol pubload stately taurus usbfect
Related entities
1 vulnerabilities (cve), 34 observables, 19 techniques (mitre), 10 malware, 9 others

Description

Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: , , and . used USB-propagated malware to deploy the . employed an espionage toolkit including , RAT, and other tools. utilized a novel to deploy RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2026-0628
8.8 High

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …

Attack vector
NETWORK
Published
07/01/2026
Modified
09/03/2026
Undergoing Analysis

Observables (34)

  • 103.122.164.106
  • 109.248.24.177
  • 120.89.46.135
  • 103.15.29.17
  • 103.131.95.107
  • 6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9
  • f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65
  • e61a1f4269e934481f6cb19576b3dbc434952b01445fd4e1ebc6906a1b449ef8
  • 05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc
  • 21fe238c462b2f22a7e97f1f06e4f12e8c6e5f3a6fffe671b671909b501fa537
  • 4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92
  • 35ca351a831c67f0e0a658a186be0065043e0977cb70771c03a24b0523edcf30
  • 1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623
  • 6f4f76c7a2638087a0da6002cd2c76d1673305b1e850a1f4068f14755f59d45b
  • c774fd7373084f93383593f0a40f56c8a8b95b73e59cd4fc7117daa6b7441e73
  • 74e7093615da36b28effb3aa6eef5a31e7ea59627bd619b488f087091e8d65e9
  • 84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9
  • 4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c
  • 2616dfadf8aa222303269eb7202c75e2a8fc5b05b6b63ae2cb7576b9a27733f9
  • 83f06fa37f1136f765f799851812f11060ab34df3b34bc61777acc59a30b4c6e
  • e1672dab0daf1c84f14f7bb827851c27753da067490e10cd6144fe7873892fec
  • 34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2
  • 851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f
  • 6745422717f0ccdf2ae3330d133945268d4cd21215adcf982400d82b38ebeeca
  • 835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3
  • d4d753c6ea5c86a44c9a65cd0d4eaeabb072b19e0ef68ef7da3a879f689772c9
  • e9b52577091c8e25e91c485216de34d5a26ab707a10b1e5cd31ed7aa055939d3
  • 9d7c8d3bc4ac108fb2602424a1f4918c051c2443f0526bbb2c970c8e57dbd90d
  • 07bd506d2a8db98c2478ac11bb6c46d84f1aa84f4a9af643804ed857ad7399c3
  • 29d4cc64c7c9b7ecd16d96e9c6dcde1fe22a4c2d202074aadf41cbcef494bc19
  • 58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8
  • c47d55ad95a6c6ffac45c2b205e03bddadf5e36f55988599053b1fd0e49448a5
  • f62223c9750fb2edfd979a8cae204cb9ce5e0950b52a47b62f195cd05dd3e2fb
  • 11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720

Techniques (MITRE) (19)

  • T1003
    OS Credential Dumping
  • T1078
    Valid Accounts
  • T1547
    Boot or Logon Autostart Execution
  • T1056
    Input Capture
  • T1036
    Masquerading
  • T1055
    Process Injection
  • T1573
    Encrypted Channel
  • T1091
    Replication Through Removable Media
  • T1068
    Exploitation for Privilege Escalation
  • T1132
    Data Encoding
  • T1204
    User Execution
  • T1027
    Obfuscated Files or Information
  • T1219
    Remote Access Tools
  • T1059
    Command and Scripting Interpreter
  • T1574.002
  • T1102
    Web Service
  • T1021
    Remote Services
  • T1071
    Application Layer Protocol
  • T1567
    Exfiltration Over Web Service

Malware (10)

  • Masol
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 27/03/2026 10:28 · Modified 27/03/2026 10:28
  • TrackBak
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 27/03/2026 10:28 · Modified 27/03/2026 10:28
  • CoolClient
    Family
    Published 14/05/2026 11:16 · Modified 14/05/2026 11:16
  • USBFect
    Family
    Published 27/03/2026 02:01 · Modified 27/03/2026 02:01
  • ClaimLoader
    Family
    Published 27/03/2026 02:01 · Modified 27/03/2026 02:01
  • FluffyGh0st
    Family
    Published 27/03/2026 02:01 · Modified 27/03/2026 02:01
  • EggStremeFuel
    Family
    Published 27/03/2026 02:01 · Modified 27/03/2026 02:01
  • Gorem
    Family
    Published 27/03/2026 02:01 · Modified 27/03/2026 02:01
  • PUBLOAD
    Family
    Published 07/04/2026 11:11 · Modified 07/04/2026 11:11
  • Hypnosis loader
    Family
    Published 27/03/2026 02:01 · Modified 27/03/2026 02:01

Others (9)

  • Government
  • theuklg.com
  • webmail.rpcthai.com
  • popnike-share.com
  • shepinspect.com
  • fikksvex.com
  • laichingte.net
  • webmail.homesmountain.com
  • distrilyy.net

External references