Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

1. Executive Summary

This report details a sophisticated, multi-cluster cyber campaign targeting a Southeast Asian government entity between June 1 and August 15, 2025. Three distinct China-aligned threat activity clusters, exhibiting strong TTP overlap and employing a diverse arsenal of malware including backdoors, RATs, and loaders, were observed. The primary objective appears to be the establishment of long-term, persistent access to sensitive government networks. While specific initial access vectors for two clusters remain unconfirmed, the coordinated nature and shared TTPs suggest a strategic, state-sponsored effort. The CVSS score is not publicly disclosed for this campaign. The severity is classified as Critical due to the targeting of a government entity with the intent of persistent espionage and the use of advanced malware.

2. Technical Vulnerability Analysis

No specific CVEs or software vulnerabilities are detailed in the provided article. The attack vectors described are primarily malware-based delivery and execution, rather than exploitation of known software flaws.

• CVE ID and Details: Not publicly disclosed.
• Root Cause (Code-Level): Not publicly disclosed. The article focuses on malware execution and delivery mechanisms rather than specific software vulnerabilities.
• Affected Components: The primary affected component is the targeted Southeast Asian government entity's network infrastructure. Specific software or hardware vulnerabilities are not identified.
• Attack Surface: The attack surface is broad and includes:
  • Removable Media: Exploited by HIUPAN (USBFect) via USB drives.
  • DLL Loading Mechanisms: Exploited by Hypnosis Loader through DLL side-loading.
  • Execution Environments: Any system capable of running the deployed malware (e.g., Windows endpoints).
  • Network Services: Potentially exploited for lateral movement or C2 communication, though specific protocols are not detailed.

3. Exploitation Analysis (Red-Team Focus)

The article describes a multi-faceted campaign with distinct TTPs for each cluster, indicating a deliberate and potentially coordinated effort.

• Red-Team Exploitation Steps:

  Cluster 1 (Likely Mustang Panda):

  1. Prerequisites: Access to a physical or logical path to introduce a compromised USB drive into the target environment.
  2. Access Requirements: Physical access to an endpoint or the ability to influence users to insert a compromised USB drive.
  3. Exploitation Steps:
     • A user inserts a compromised USB drive containing HIUPAN malware.
     • HIUPAN, masquerading as a legitimate DLL (Claimloader.dll), is executed, potentially via DLL side-loading or other execution vectors triggered by USB insertion.
     • HIUPAN establishes persistence and acts as a delivery mechanism for the PUBLOAD backdoor.
     • PUBLOAD is deployed, establishing a backdoor.
     • Further reconnaissance or lateral movement may occur, leading to the deployment of COOLCLIENT, a more established backdoor.
  4. Payload Delivery: HIUPAN delivers PUBLOAD. PUBLOAD and COOLCLIENT establish persistent command and control (C2).
  5. Post-Exploitation: COOLCLIENT provides capabilities for file transfer, keystroke logging, packet tunneling, and network information gathering, enabling further compromise and intelligence exfiltration.

  Cluster 2 (CL-STA-1048):

  1. Prerequisites: Unknown. Potential vectors include phishing, exploitation of unpatched vulnerabilities, or compromised credentials.
  2. Access Requirements: Unknown. Could range from unauthenticated remote access to post-authenticated user-level access.
  3. Exploitation Steps:
     • Initial access is gained through an unknown vector.
     • EggStremeFuel (RawCookie), EggStremeLoader (Gorem RAT), MASOL RAT, PoshRAT, or TrackBak Stealer are deployed.
     • These tools are used for establishing persistence, data exfiltration, and potentially further lateral movement.
  4. Payload Delivery: Various malware families are delivered to establish presence and functionality.
  5. Post-Exploitation: Data theft (TrackBak Stealer), remote control (RATs), and system compromise.

  Cluster 3 (CL-STA-1049):

  1. Prerequisites: Unknown. Potential vectors include phishing, exploitation of unpatched vulnerabilities, or compromised credentials.
  2. Access Requirements: Unknown. Could range from unauthenticated remote access to post-authenticated user-level access.
  3. Exploitation Steps:
     • Initial access is gained through an unknown vector.
     • A novel DLL loader, Hypnosis Loader, is deployed.
     • Hypnosis Loader utilizes DLL side-loading to execute.
     • Upon successful execution, Hypnosis Loader deploys the FluffyGh0st RAT.
  4. Payload Delivery: Hypnosis Loader delivers FluffyGh0st RAT.
  5. Post-Exploitation: FluffyGh0st RAT provides remote access and control capabilities for espionage and data exfiltration.

• Public PoCs and Exploits: No specific public Proof-of-Concepts (PoCs) or exploits are mentioned for the malware families used. The article describes the malware's functionality and deployment methods.

• Exploitation Prerequisites:

  • Cluster 1: User interaction with a compromised USB drive.
  • Cluster 2 & 3: Unknown, but likely involve vulnerabilities, phishing, or credential compromise.

• Automation Potential:

  • Cluster 1: HIUPAN's USB-based delivery could be automated if a large number of compromised USBs are distributed. The subsequent deployment of PUBLOAD and COOLCLIENT might involve manual steps or further automated delivery.
  • Cluster 2 & 3: The extent of automation is unknown. RATs and stealers can be configured for automated data exfiltration. DLL side-loading can be automated once the initial loader is present.
  • Worm-like Propagation: Not explicitly stated, but the use of USB malware and potential for lateral movement could facilitate worm-like behavior if not contained.

• Attacker Privilege Requirements:

  • Cluster 1: Initially requires physical access or user interaction for USB insertion. Post-compromise, privilege escalation might be necessary for deeper network access.
  • Cluster 2 & 3: Unknown. Could range from unauthenticated remote access to low-privilege user access, potentially escalating later.

• Worst-Case Scenario:

  • Confidentiality: Complete compromise of sensitive government data, including classified information, intelligence reports, and citizen data. Long-term persistent access allows for continuous exfiltration and surveillance.
  • Integrity: Potential for data tampering or introduction of malicious code into critical systems, impacting government operations and decision-making.
  • Availability: While not the primary focus, persistent access could be leveraged for denial-of-service attacks or disruption of critical government functions if the attackers' objectives shift.

4. Vulnerability Detection (SOC/Defensive Focus)

Detection strategies should focus on the specific malware families, delivery mechanisms, and observed TTPs.

• How to Detect if Vulnerable:

  • File System Scans: Search for known malicious file names and hashes associated with the mentioned malware families.
    • HIUPAN: Look for Claimloader.dll in non-standard directories (e.g., user profiles, temporary folders, root of removable drives).
    • Hypnosis Loader: Look for the loader executable and the malicious DLL it side-loads in suspicious locations.
  • Process Monitoring: Monitor for the execution of suspicious processes, especially those that load DLLs from unusual paths.
  • USB Device Auditing: Log and monitor all USB device insertions and file activity on removable media.
  • Network Traffic Analysis: Monitor for C2 communication patterns associated with known backdoors and RATs.

• Indicators of Compromise (IOCs):

  • File Hashes: Not publicly disclosed in the article.
  • Network Indicators:
    • Domains/IPs associated with C2 servers for PUBLOAD, COOLCLIENT, Gorem RAT, MASOL RAT, PoshRAT, FluffyGh0st RAT. (Not publicly disclosed).
    • Suspicious network traffic patterns indicative of data exfiltration or remote control.
  • Process Behavior Patterns:
    • Execution of Claimloader.dll or other known malicious DLLs from non-standard locations.
    • Processes attempting to load DLLs from user-writable directories.
    • Execution of known malware executables (e.g., Gorem RAT, MASOL RAT, PoshRAT, FluffyGh0st RAT).
    • Unusual network connections initiated by seemingly legitimate processes.
  • Registry/Config Changes: Not detailed in the article, but persistence mechanisms often involve registry modifications.
  • Log Signatures:
    • Endpoint security logs indicating suspicious DLL loading events.
    • USB device connection logs showing unusual activity or file creation.
    • Process creation logs for known malicious executables.

• SIEM Detection Queries:

  1. Detection Rule for Suspicious DLL Side-Loading (Sigma Format):
  This rule aims to detect potential DLL side-loading by identifying processes loading DLLs from non-standard, user-writable directories.

  title: Suspicious DLL Side-Loading Attempt
  id: 91a2b3c4-d5e6-7f89-0123-456789abcdef
  status: experimental
  description: Detects processes attempting to load DLLs from user-writable directories or common staging locations, indicative of DLL side-loading.
  author: RedTeamAI_Analyst
  date: 2026/03/30
  references:
    - https://thehackernews.com/2026/03/three-china-linked-clusters-target.html
  logsource:
      category: process_creation
      product: windows
  detection:
      selection:
          ImageLoaded|endswith: '.dll'
          # Exclude standard system DLL directories
          ImageLoaded|contains:
            - '\AppData\'
            - '\Temp\'
            - '\Downloads\'
            - '\Users\' # Broadly target user directories
          # Further refine by checking the directory of the loaded DLL
          ImageLoaded_Directory|contains:
            - ':\Users\'
            - ':\Temp\'
            - ':\Downloads\'
            - ':\ProgramData\' # Sometimes used for persistence
      condition: selection
  falsepositives:
      - Legitimate software installers or updaters (rarely, but possible).
      - Developer tools or custom applications.
  level: high
  tags:
      - attack.execution
      - attack.t1574.002 # DLL Side-Loading
      - windows
      - malware

  2. KQL Query for HIUPAN-related File Activity:
  This query searches for the presence of Claimloader.dll in non-standard locations, a key indicator for HIUPAN.

  // KQL Query: HIUPAN Malware Indicator - Suspicious Claimloader.dll Presence
  DeviceFileEvents
  | where FileName =~ "Claimloader.dll"
  | where FolderPath !contains "C:\\Windows" and FolderPath !contains "C:\\Program Files" and FolderPath !contains "C:\\Program Files (x86)"
  | extend IsRemovableMedia = FolderPath startswith "E:\\" or FolderPath startswith "F:\\" // Example for removable drives, adjust drive letters as needed
  | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, IsRemovableMedia, AccountName
  | where IsRemovableMedia or FolderPath contains "Temp" or FolderPath contains "Downloads" or FolderPath contains "Users" // Focus on suspicious locations
  | summarize count() by DeviceName, FileName, FolderPath, AccountName, IsRemovableMedia

• Behavioral Indicators:

  • Unusual DLL Loading: Processes loading DLLs from user-writable directories or temporary file locations.
  • Suspicious Process Execution: Execution of unknown executables or DLLs from user profiles, download folders, or removable media.
  • Persistence Mechanisms: Creation of scheduled tasks, services, or registry run keys pointing to malicious executables or DLLs.
  • Data Exfiltration: Outbound network connections from endpoints to unusual external IPs or domains, especially if carrying large amounts of data or using non-standard ports.
  • Keystroke Logging: Detection of processes actively capturing keyboard input.
  • Packet Tunneling: Unusual network traffic patterns that suggest tunneling or proxying of network traffic.

5. Mitigation & Remediation (Blue-Team Focus)

Mitigation strategies should focus on preventing initial access, detecting and blocking malware execution, and removing persistence.

• Official Patch Information: No specific vulnerabilities are mentioned, so no patches are directly applicable. Mitigation relies on security controls and operational procedures.

• Workarounds & Temporary Fixes:

  • USB Device Control:
    • Policy: Enforce strict policies on USB device usage.
    • Configuration: Disable USB storage device auto-run functionality via Group Policy or MDM.
    • Scanning: Implement robust endpoint security solutions that scan all USB drives for malware upon insertion.
    • Blocking: Block specific USB device IDs if possible.
  • Application Whitelisting: Deploy and enforce application whitelisting (e.g., AppLocker, Windows Defender Application Control) to prevent the execution of unauthorized executables and DLLs.
  • DLL Side-Loading Prevention:
    • Configuration: Ensure applications load DLLs from their designated installation directories and not from user-writable paths. This can sometimes be enforced through application manifests or specific security configurations.
    • Monitoring: Implement aggressive monitoring for DLLs loaded from non-standard locations.
  • Network Segmentation: Isolate critical government networks from less secure segments and the internet. Implement strict firewall rules to limit lateral movement.
  • Endpoint Security: Ensure EDR solutions are deployed, configured for maximum visibility, and regularly updated with the latest threat intelligence. Configure EDR to alert on suspicious DLL loading and file execution from non-standard paths.
  • User Awareness Training: Educate users about the risks of inserting unknown USB drives and clicking on suspicious links or attachments.

• Manual Remediation Steps (Non-Automated):

  1. Identify Infected Systems: Use SIEM queries and EDR alerts to pinpoint systems exhibiting IOCs or suspicious behavior.
  2. Isolate Infected Systems: Immediately disconnect identified systems from the network to prevent lateral movement.
  3. Malware Removal:
     • Manual Deletion: If the malware is identified and its location is known, manually delete the malicious files.

       # Example PowerShell command to remove a known malicious file
       Remove-Item -Path "C:\Users\Public\Documents\malicious.dll" -Force

     • Registry Cleanup: Remove any persistence mechanisms (e.g., Run keys, Scheduled Tasks) pointing to the malware.

       # Example PowerShell command to remove a registry run key
       Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "SuspiciousApp" -ErrorAction SilentlyContinue

     • Endpoint Security Scan: Run a full scan with an up-to-date antivirus/EDR solution.
  4. Rebuild/Reimage: For critical systems or persistent infections, the safest remediation is to reimage or rebuild the affected machines from a known good backup or golden image.
  5. Credential Reset: If credential compromise is suspected, reset user passwords and review access logs.
  6. Review Logs: Analyze logs from the affected period to understand the attack path and identify any other compromised systems or data exfiltration.

• Risk Assessment During Remediation:

  • Downtime: Disconnecting systems for investigation and remediation can impact operational availability.
  • Incomplete Removal: Manual removal might miss hidden persistence mechanisms or secondary payloads, leading to re-infection.
  • Lateral Movement: If isolation is not immediate or complete, the threat may spread to other systems.
  • Data Loss: If data exfiltration has already occurred, remediation cannot recover that lost data.

6. Supply-Chain & Environment-Specific Impact

• CI/CD Impact: The article does not provide information on whether CI/CD pipelines were directly targeted or affected. However, if build tools or artifact repositories were compromised, it could lead to the injection of malicious code into legitimate software.
• Container/Kubernetes Impact: The article does not mention containerization technologies. If the malware were to be deployed within containers, its impact would depend on the container isolation effectiveness and the privileges granted to the container. DLL side-loading is typically a Windows-specific technique, so its direct impact on Linux-based containers would be limited unless a Windows container host was compromised.
• Supply-Chain Implications: The use of multiple clusters, some with unknown initial access vectors, suggests a potential for supply-chain compromise. If any of the malware families or their delivery mechanisms were distributed through third-party software updates, libraries, or services, it would represent a significant supply-chain risk. The article does not explicitly confirm this, but the coordinated nature and diverse TTPs raise this concern.

7. Advanced Technical Analysis

• Exploitation Workflow (Detailed):

  • Cluster 1 (HIUPAN/PUBLOAD/COOLCLIENT):
    1. Initial Access: Compromised USB drive inserted by user.
    2. Execution: HIUPAN malware on USB executes, potentially via autorun or manual execution by the user.
    3. Persistence: HIUPAN establishes persistence (e.g., via registry or scheduled tasks).
    4. Payload Delivery: HIUPAN acts as a dropper for PUBLOAD.
    5. Backdoor Establishment: PUBLOAD establishes a C2 channel.
    6. Further Deployment: PUBLOAD or manual actions lead to the deployment of COOLCLIENT.
    7. Post-Exploitation: COOLCLIENT enables reconnaissance, data exfiltration, and tunneling.
  • Cluster 3 (Hypnosis Loader/FluffyGh0st RAT):
    1. Initial Access: Unknown vector (e.g., phishing, exploit).
    2. Loader Deployment: Hypnosis Loader executable is placed on the system.
    3. DLL Side-Loading: A legitimate application is tricked into loading a malicious DLL (potentially placed by Hypnosis Loader or delivered alongside it). This malicious DLL then executes Hypnosis Loader's payload.
    4. RAT Deployment: Hypnosis Loader executes the FluffyGh0st RAT.
    5. Post-Exploitation: FluffyGh0st RAT provides remote control for espionage.

• Code-Level Weakness:

  • HIUPAN: Likely exploits Windows' handling of executable content on removable drives, potentially including vulnerabilities in file system drivers or the way the OS processes executable files from such sources.
  • Hypnosis Loader: Leverages the Windows DLL search order vulnerability. When an application attempts to load a DLL, Windows searches in a specific order of directories. If a malicious DLL with the same name is placed in a directory earlier in the search order (e.g., the application's current working directory, which can be influenced by the attacker), it will be loaded instead of the legitimate one. This is a classic CWE-426: "Untrusted Search Path" or CWE-427: "Uncontrolled Search Path Element."
  • PUBLOAD, COOLCLIENT, FluffyGh0st RAT, Gorem RAT, MASOL RAT, PoshRAT, TrackBak Stealer: These are likely custom or known malware families. Their code-level weaknesses would relate to their specific functionalities (e.g., insecure handling of network protocols, buffer overflows in parsing data, insecure deserialization if applicable). Specific details are not provided.

• Related CVEs & Chaining: No specific CVEs are mentioned. However, the DLL side-loading technique is a well-known attack pattern (CWE-427). The campaign's success relies on the combination of delivery mechanisms and malware capabilities, rather than chaining specific software vulnerabilities.

• Bypass Techniques:

  • Evasion of Antivirus/EDR: Malware authors commonly employ techniques such as code obfuscation, packing, encryption, and polymorphism to evade signature-based detection.
  • DLL Side-Loading Bypass: By placing the malicious DLL in a directory that a legitimate application searches first, attackers bypass checks that might only look for DLLs in system directories.
  • Living-off-the-Land (LotL) Techniques: While not explicitly detailed, attackers often use legitimate system tools (e.g., PowerShell, WMI) for execution and lateral movement, making detection harder. COOLCLIENT's packet tunneling capability could be used to obfuscate C2 traffic.
  • Masquerading: Using legitimate-sounding file names (Claimloader.dll) and placing malware in common directories to blend in.

8. Practical Lab Testing

• Safe Testing Environment Requirements:

  • Isolated Network: A completely air-gapped or heavily segmented network segment.
  • Virtual Machines: Multiple Windows VMs (e.g., Windows 10, Windows Server 2019) configured with different privilege levels (user, administrator).
  • USB Drive Emulation: A physical USB drive that can be safely formatted and loaded with test malware samples. Alternatively, a virtual USB device passthrough in a VM environment.
  • Network Capture: Tools like Wireshark or tcpdump to monitor network traffic.
  • Endpoint Monitoring Tools: Sysmon, EDR agent, Procmon installed on test VMs.
  • Malware Samples: Safely obtained (if available) or simulated versions of HIUPAN, PUBLOAD, COOLCLIENT, Hypnosis Loader, and FluffyGh0st RAT.

• How to Safely Test:

  1. Set up Isolated Environment: Configure VMs and network segmentation.
  2. Deploy Monitoring Tools: Install Sysmon, Procmon, and EDR agents on test VMs.
  3. Simulate Initial Access (Cluster 1):
     • Place a simulated HIUPAN DLL on a USB drive.
     • Insert the USB into a test VM.
     • Observe file creation, process execution (e.g., Claimloader.dll loading), and any persistence mechanisms.
     • If possible, simulate the deployment of PUBLOAD and COOLCLIENT by placing their executables in expected locations and triggering their execution.
  4. Simulate Initial Access (Cluster 3):
     • Place Hypnosis Loader and a target application that is vulnerable to DLL side-loading (e.g., a known vulnerable application or a custom test app).
     • Place a malicious DLL with the same name as a legitimate DLL required by the target application in a location that precedes the legitimate DLL in the search path (e.g., the application's directory).
     • Execute the target application and observe the malicious DLL being loaded and executing its payload (e.g., launching a simulated FluffyGh0st RAT).
  5. Analyze Logs and Network Traffic: Examine Sysmon logs for process creation, image loading, and network connections. Analyze Wireshark captures for C2 communication patterns.
  6. Test Detection Rules: Run the SIEM detection rules and KQL queries against the collected logs to verify their effectiveness.
  7. Test Mitigation: Apply proposed workarounds (e.g., USB blocking, application whitelisting) and re-run tests to confirm they prevent the simulated attack.

• Test Metrics:

  • Detection Rate: Percentage of simulated attack stages detected by SIEM rules and EDR.
  • Time to Detect: Time elapsed from attack initiation to alert generation.
  • Mitigation Effectiveness: Percentage of simulated attacks successfully blocked by implemented security controls.
  • False Positive Rate: Number of legitimate activities flagged as malicious.
  • Persistence Removal Success: Whether manual or automated remediation steps successfully removed all persistence mechanisms.

9. Geopolitical & Attribution Context

• Evidence of State-Sponsored Involvement: The article states the threat activity clusters exhibit "strong links to China-aligned cyber operations." The targeting of a government entity in Southeast Asia with sophisticated malware for persistent access is highly indicative of state-sponsored espionage.
• Targeted Sectors: A government organization in Southeast Asia.
• Attribution Confidence: High confidence in China-aligned attribution based on the provided information. The specific threat actor names for CL-STA-1048 and CL-STA-1049 are not definitively assigned, but their TTPs and malware align with known China-aligned activities.
• Campaign Context: The article suggests a coordinated effort, implying this might be part of a broader strategic intelligence-gathering campaign by China-aligned actors targeting regional governments. No specific campaign names (e.g., APT groups) are explicitly assigned to all clusters, but Cluster 1 is "Likely Mustang Panda."
• If unknown: Attribution for CL-STA-1048 and CL-STA-1049 is currently unconfirmed beyond their general alignment with China-aligned actors.

10. References & Sources

• Original Article Source: The Hacker News (March 30, 2026) - https://thehackernews.com/2026/03/three-china-linked-clusters-target.html
• Research by: Palo Alto Networks Unit 42 Researchers Doel Santos and Hiroaki Hara.
• Malware Families Mentioned: HIUPAN (USBFect, MISTCLOAK, U2DiskWatch), PUBLOAD, COOLCLIENT, EggStremeFuel (RawCookie), EggStremeLoader (Gorem RAT), MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, FluffyGh0st RAT.
• Techniques Mentioned: DLL Side-Loading, USB-based malware delivery, Backdoor deployment, RAT functionality, Stealer functionality, Packet Tunneling.
• MITRE ATT&CK (Implied):
  • T1574.002: DLL Side-Loading
  • T1059.003: Windows Command Shell (implied for execution)
  • T1071.001: Web Protocols (for C2)
  • T1020: Automated Exfiltration (implied for stealers/RATs)
  • T1053.005: Scheduled Task/Job (potential persistence)
  • T1053.003: Windows Service (potential persistence)
  • T1003: OS Credential Dumping (potential post-exploitation)
  • T1041: Exfiltration Over C2 Channel
  • T1105: Ingress Tool Transfer