Multi-cluster operation reveals long-term espionage strategy and advanced persistence tactics
A sophisticated cyber campaign attributed to multiple China-aligned threat clusters has targeted a Southeast Asian government entity throughout 2025, highlighting a significant escalation in coordinated cyber espionage activity.
Researchers identified three distinct but overlapping threat clusters operating within the same environment over extended periods. Notably, these clusters—Mustang Panda, CL-STA-1048, and CL-STA-1049—demonstrated shared objectives, similar tactics, and coordinated timing. This strongly suggests a unified strategic mission rather than isolated intrusions.
Between March and September 2025, attackers deployed a wide range of malware families, each serving specific roles within a broader intrusion framework. These tools enabled persistent access, data exfiltration, and stealthy lateral movement across government networks.
A Multi-Phase, Multi-Actor Attack Strategy
The campaign did not rely on a single entry point or payload. Instead, attackers used layered malware frameworks and modular toolsets to maintain access and expand control over time.
For example, during the June–August 2025 window, Mustang Panda leveraged USB-based malware (HIUPAN) to infiltrate systems. This method is particularly effective in restricted or air-gapped environments where internet-based attacks are limited.
Once inside, attackers deployed PUBLOAD via a malicious DLL loader (Claimloader). Meanwhile, additional backdoors like COOLCLIENT enabled deeper control, including:
- Keystroke logging
- File transfer (upload/download)
- Network tunneling
- System reconnaissance
As a result, attackers gained both visibility and control across compromised systems.
Diverse Malware Arsenal Across Clusters
Each cluster brought its own toolkit, increasing operational complexity and resilience.
CL-STA-1048, active from March to September, used a mix of noisy and aggressive tools, including:
- EggStremeFuel & EggStremeLoader: Modular backdoors supporting over 50 commands for data exfiltration and system control
- MASOL RAT: Remote access trojan enabling command execution
- TrackBak Stealer: Focused on extracting logs, clipboard data, and network intelligence
Additionally, some variants used cloud services like Dropbox for command-and-control (C2), making detection more difficult.
Meanwhile, CL-STA-1049 introduced a more stealth-oriented approach. This cluster deployed:
- Hypnosis Loader (via DLL side-loading)
- FluffyGh0st RAT, a well-known remote access tool for espionage operations
However, the initial access vector for these clusters remains unclear, indicating either undiscovered entry techniques or highly covert infiltration methods.
What Makes This Campaign Different
Unlike typical cyberattacks focused on immediate disruption, this operation emphasized long-term persistence and intelligence gathering.
Several key characteristics stand out:
- Overlapping timelines across multiple clusters
- Shared tactics, techniques, and procedures (TTPs)
- Use of both stealthy and noisy malware to diversify attack paths
- Focus on maintaining continuous access rather than quick impact
Therefore, this campaign reflects a strategic, state-aligned effort aimed at sustained surveillance, rather than short-term cybercrime.
Strategic Implications for Governments and CISOs
This campaign signals a growing trend in cyber operations: coordinated multi-group intrusions targeting high-value institutions.
For government agencies and enterprise security leaders, this raises critical concerns:
- Traditional detection models may fail against multi-cluster attacks
- Persistence mechanisms are becoming more advanced and layered
- Attackers increasingly blend commodity malware with custom loaders
- Supply chain and removable media (USB) remain high-risk vectors
As a result, organizations must evolve beyond reactive security.
What Organizations Should Do Next
To defend against similar campaigns, security teams should:
- Implement Zero Trust architectures to limit lateral movement
- Monitor endpoint behavior and anomaly patterns, not just signatures
- Restrict and audit USB and removable media usage
- Strengthen threat intelligence integration for early detection
- Conduct continuous threat hunting across networks
Additionally, collaboration between regional governments and cybersecurity teams will be essential to identify and disrupt such coordinated campaigns early.