UNIT 42 researchers describe a three-cluster cyberespionage operation targeting a Southeast Asian government, active between June and August 2025 and linked to China-aligned activity. According to Unit 42, the effort began with Stately Taurus deploying USBFect (HIUPAN) to load the PUBLOAD backdoor, with activity observed from June 1, 2025, across multiple endpoints.
The investigation also details two additional clusters, CL-STA-1048 and CL-STA-1049, employing an espionage toolkit including EggStremeFuel, Masol RAT, EggStreme Loader, TrackBak, and Hypnosis loader to deploy FluffyGh0st RAT, with August 1 and August 9, 2025 milestones highlighted for CL-STA-1049 and related activity.
The report notes substantial overlap in TTPs with China-aligned campaigns such as Earth Estries and Crimson Palace, and discusses how these clusters may be coordinating toward a common objective of long-term access and data exfiltration. In the assessment, CoolClient and other loaders are also attributed to Stately Taurus, while Hypnosis loader targets include a Bitdefender directory, and final payloads are linked to FluffyGh0st.
The piece concludes that three distinct China-aligned clusters converged on a single high-value target, signalling a well-resourced operation intended for persistent access.