Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

March 27, 2026, 9:29 a.m.

Description

Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.

External References

https://otx.alienvault.com/pulse/69c5e4ddc46bf7f11bc53115
https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg
https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/
Tags
backdoor
coolclient
pubload
eggstremefuel
2026-03-27
cl-sta-1048
cl-sta-1049
claimloader
fluffygh0st
gorem
hypnosis loader
masol
stately taurus
usbfect

Date

  • Created: March 27, 2026, 2:01 a.m.
  • Published: March 27, 2026, 2:01 a.m.
  • Modified: March 27, 2026, 9:29 a.m.

Indicators

  • 6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9
  • f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65
  • e61a1f4269e934481f6cb19576b3dbc434952b01445fd4e1ebc6906a1b449ef8
  • 05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc
  • 21fe238c462b2f22a7e97f1f06e4f12e8c6e5f3a6fffe671b671909b501fa537
  • 4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92
  • 35ca351a831c67f0e0a658a186be0065043e0977cb70771c03a24b0523edcf30
  • 1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623
  • 6f4f76c7a2638087a0da6002cd2c76d1673305b1e850a1f4068f14755f59d45b
  • c774fd7373084f93383593f0a40f56c8a8b95b73e59cd4fc7117daa6b7441e73
  • 74e7093615da36b28effb3aa6eef5a31e7ea59627bd619b488f087091e8d65e9
  • 84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9
  • 4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c
  • 2616dfadf8aa222303269eb7202c75e2a8fc5b05b6b63ae2cb7576b9a27733f9
  • 83f06fa37f1136f765f799851812f11060ab34df3b34bc61777acc59a30b4c6e
  • e1672dab0daf1c84f14f7bb827851c27753da067490e10cd6144fe7873892fec
  • 34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2
  • 851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f
  • 6745422717f0ccdf2ae3330d133945268d4cd21215adcf982400d82b38ebeeca
  • 835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3
  • d4d753c6ea5c86a44c9a65cd0d4eaeabb072b19e0ef68ef7da3a879f689772c9
  • e9b52577091c8e25e91c485216de34d5a26ab707a10b1e5cd31ed7aa055939d3
  • 9d7c8d3bc4ac108fb2602424a1f4918c051c2443f0526bbb2c970c8e57dbd90d
  • 07bd506d2a8db98c2478ac11bb6c46d84f1aa84f4a9af643804ed857ad7399c3
  • 29d4cc64c7c9b7ecd16d96e9c6dcde1fe22a4c2d202074aadf41cbcef494bc19
  • 58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8
  • c47d55ad95a6c6ffac45c2b205e03bddadf5e36f55988599053b1fd0e49448a5
  • f62223c9750fb2edfd979a8cae204cb9ce5e0950b52a47b62f195cd05dd3e2fb
  • 11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720
  • 103.122.164.106
  • 109.248.24.177
  • 120.89.46.135
  • 103.15.29.17
  • 103.131.95.107
Download all indicators here!

Attack Patterns

  • Masol
  • TrackBak
  • CoolClient
  • USBFect
  • ClaimLoader
  • FluffyGh0st
  • EggStremeFuel
  • Gorem
  • PUBLOAD
  • Hypnosis loader

Additional Informations

  • Government
  • theuklg.com
  • webmail.rpcthai.com
  • popnike-share.com
  • shepinspect.com
  • fikksvex.com
  • laichingte.net
  • webmail.homesmountain.com
  • distrilyy.net

Linked vulnerabilities

CVE-2026-0628

8.8
    Google
  • Chrome
Published: January 7, 2026