{ "name": "Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "slug": "converging-interests-analysis-of-threat-clusters-targeting-a-southeast-asian-government", "description": "Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.", "published": "2026-03-27T01:01:01+00:00", "created_at": "2026-03-27T01:01:01+00:00", "modified_at": "2026-03-27T08:29:29+00:00", "created_at_opencti": "2026-03-27T01:01:01+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-03-27", "backdoor", "cl-sta-1048", "cl-sta-1049", "claimloader", "coolclient", "eggstremefuel", "fluffygh0st", "gorem", "hypnosis loader", "masol", "pubload", "stately taurus", "usbfect" ], "related_entities": { "observables": [ { "id": "", "name": "103.122.164.106" }, { "id": "", "name": "109.248.24.177" }, { "id": "", "name": "120.89.46.135" }, { "id": "", "name": "103.15.29.17" }, { "id": "", "name": "103.131.95.107" }, { "id": "", "name": "6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9" }, { "id": "", "name": "f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65" }, { "id": "", "name": "e61a1f4269e934481f6cb19576b3dbc434952b01445fd4e1ebc6906a1b449ef8" }, { "id": "", "name": "05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc" }, { "id": "", "name": "21fe238c462b2f22a7e97f1f06e4f12e8c6e5f3a6fffe671b671909b501fa537" }, { "id": "", "name": "4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92" }, { "id": "", "name": "35ca351a831c67f0e0a658a186be0065043e0977cb70771c03a24b0523edcf30" }, { "id": "", "name": "1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623" }, { "id": "", "name": "6f4f76c7a2638087a0da6002cd2c76d1673305b1e850a1f4068f14755f59d45b" }, { "id": "", "name": "c774fd7373084f93383593f0a40f56c8a8b95b73e59cd4fc7117daa6b7441e73" }, { "id": "", "name": "74e7093615da36b28effb3aa6eef5a31e7ea59627bd619b488f087091e8d65e9" }, { "id": "", "name": "84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9" }, { "id": "", "name": "4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c" }, { "id": "", "name": "2616dfadf8aa222303269eb7202c75e2a8fc5b05b6b63ae2cb7576b9a27733f9" }, { "id": "", "name": "83f06fa37f1136f765f799851812f11060ab34df3b34bc61777acc59a30b4c6e" }, { "id": "", "name": "e1672dab0daf1c84f14f7bb827851c27753da067490e10cd6144fe7873892fec" }, { "id": "", "name": "34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2" }, { "id": "", "name": "851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f" }, { "id": "", "name": "6745422717f0ccdf2ae3330d133945268d4cd21215adcf982400d82b38ebeeca" }, { "id": "", "name": "835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3" }, { "id": "", "name": "d4d753c6ea5c86a44c9a65cd0d4eaeabb072b19e0ef68ef7da3a879f689772c9" }, { "id": "", "name": "e9b52577091c8e25e91c485216de34d5a26ab707a10b1e5cd31ed7aa055939d3" }, { "id": "", "name": "9d7c8d3bc4ac108fb2602424a1f4918c051c2443f0526bbb2c970c8e57dbd90d" }, { "id": "", "name": "07bd506d2a8db98c2478ac11bb6c46d84f1aa84f4a9af643804ed857ad7399c3" }, { "id": "", "name": "29d4cc64c7c9b7ecd16d96e9c6dcde1fe22a4c2d202074aadf41cbcef494bc19" }, { "id": "", "name": "58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8" }, { "id": "", "name": "c47d55ad95a6c6ffac45c2b205e03bddadf5e36f55988599053b1fd0e49448a5" }, { "id": "", "name": "f62223c9750fb2edfd979a8cae204cb9ce5e0950b52a47b62f195cd05dd3e2fb" }, { "id": "", "name": "11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720" } ], "malware": [ { "id": "b1e5fdbb-52be-439d-9df8-317b25953639", "name": "Masol", "slug": "masol" }, { "id": "51f6c0fd-ae88-4af7-98b5-a81797c7531e", "name": "TrackBak", "slug": "trackbak" }, { "id": "316f008f-d739-4911-8eb6-ff5c3bfa7657", "name": "CoolClient", "slug": "coolclient" }, { "id": "9a3da8af-2d3c-4566-9776-f83e7d277159", "name": "USBFect", "slug": "usbfect" }, { "id": "legacy:malware:ef89c2c91ecc1b2e", "name": "ClaimLoader", "slug": "claimloader" }, { "id": "legacy:malware:182ac196663d1cee", "name": "FluffyGh0st", "slug": "fluffygh0st" }, { "id": "legacy:malware:0bad6ecd597c2325", "name": "EggStremeFuel", "slug": "eggstremefuel" }, { "id": "legacy:malware:d8b0769056b8f92b", "name": "Gorem", "slug": "gorem" }, { "id": "legacy:malware:6f06c9b71eb77d5a", "name": "PUBLOAD", "slug": "pubload" }, { "id": "legacy:malware:3b34a57030e95cab", "name": "Hypnosis loader", "slug": "hypnosis-loader" } ], "attack_patterns": [ { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "99a1fb98-1a01-485b-b90a-a9f362f41a84", "name": "T1091" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2026-0628" } ], "others": [ { "id": "", "name": "Government" }, { "id": "", "name": "theuklg.com" }, { "id": "", "name": "webmail.rpcthai.com" }, { "id": "", "name": "popnike-share.com" }, { "id": "", "name": "shepinspect.com" }, { "id": "", "name": "fikksvex.com" }, { "id": "", "name": "laichingte.net" }, { "id": "", "name": "webmail.homesmountain.com" }, { "id": "", "name": "distrilyy.net" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69c5e4ddc46bf7f11bc53115", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg", "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/" ] }