THREE threat activity clusters aligned with China have targeted a government organisation in Southeast Asia as part of what has been described as a complex and well-resourced operation. The campaigns have seen the deployment of multiple malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD, EggStremeFuel, EggStremeLoader (aka Gorem RAT), MASOL RAT, PoshRAT, TrackBak Stealer, RawCookie, Hypnosis Loader and FluffyGh0st.
Mustang Panda activity ran from 1 June to 15 August 2025, delivering the PUBLOAD backdoor via a rogue DLL codenamed Claimloader, with Claimloader first recorded in attacks targeting government organisations in the Philippines back to late 2022. Additional analysis uncovered the deployment of COOLCLIENT as another backdoor linked to Mustang Panda for more than three years.
The activity is attributed to three clusters—CL-STA-1048, CL-STA-1049 and Mustang Panda timelines—with cross-links to publicly documented China-aligned campaigns such as Earth Estries and Unfading Sea Haze, suggesting a coordinated, long‑term objective to maintain persistent access. According to Palo Alto Networks Unit 42 researchers Doel Santos and Hiroaki Hara, the convergence of these clusters indicates a common target of interest and potential coordination.