Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

What happened

Three China-linked clusters targeted a government organization in Southeast Asia during 2025 in what researchers described as a complex and well-resourced operation. The activity was attributed to Mustang Panda, CL-STA-1048, and CL-STA-1049, with the campaigns spanning March to September 2025. According to Palo Alto Networks Unit 42, the operation involved a broad set of malware families, including HIUPAN, PUBLOAD, EggStremeFuel, EggStremeLoader, MASOL RAT, PoshRAT, TrackBak, Hypnosis Loader, and FluffyGh0st. The report said the Mustang Panda activity used USB-based malware to deliver the PUBLOAD backdoor through a rogue DLL called Claimloader, while another cluster used Hypnosis Loader through DLL side-loading to install FluffyGh0st RAT. Unit 42 said the overlapping tactics and tools suggest the clusters shared a common target of interest and may have been coordinating their efforts. 

Who is affected

The direct victim was a government organization in Southeast Asia targeted by multiple China-linked activity clusters over several months in 2025. The article also indicates the attackers were focused on maintaining access to sensitive government networks rather than carrying out a short-term disruptive operation. 

Why CISOs should care

This matters because the reported activity shows multiple related clusters targeting the same government environment with overlapping tools, malware, and persistence methods. It also highlights a campaign designed for long-term access to sensitive networks, with tooling that supports data theft, remote control, file transfer, and internal persistence across a sustained timeline. 

3 practical actions

1. Hunt for overlapping malware frameworks: Review environments for the malware families and loaders named in the report, especially HIUPAN, PUBLOAD, EggStremeFuel, EggStremeLoader, MASOL RAT, TrackBak, Hypnosis Loader, and FluffyGh0st. 
2. Investigate removable-media and side-loading paths: Examine whether USB-delivered malware and DLL side-loading remain viable intrusion routes in sensitive environments, since both were used in the campaign described by Unit 42. 
3. Treat overlapping clusters as one strategic problem: When separate activity clusters show common targeting and TTP overlap, scope them as part of a broader campaign rather than as isolated intrusions. 

For more news about malicious tools and intrusion activity used in targeted campaigns, click Malware to read more.