IN 2025, three China-linked threat clusters targeted a Southeast Asian government in a complex, well-funded cyber operation, deploying multiple malware families such as HIUPAN, PUBLOAD, EggStremeFuel/Loader, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader and FluffyGh0st, with activity tied to Stately Taurus (Mustang Panda) and related clusters.
According to Palo Alto Networks, the activity spans three clusters: Mustang Panda (Stately Taurus) active between June and August 2025; CL-STA-1048, overlapping with Earth Estries (Salt Typhoon) and Crimson Palace, active between March and September 2025; and CL-STA-1049, overlapping with Unfading Sea Haze, active in April and August 2025.
The campaign featured a USB-based propagation approach using PUBLOAD, which spread via USBFect-infected drives, enabling lateral movement and the deployment of components such as EVENT[.]dll and the ClaimLoader to decrypt and execute payloads. In addition, CoolClient loaders with anti-disassembly techniques were used to maintain a flexible, multi-protocol connection and to exfiltrate data, including keystrokes and network information, over obfuscated headers.
The researchers concluded that the attackers sought long-term, persistent access to sensitive networks, not just disruption, with the aim of continuous data exfiltration.