Threat Research Center Threat Actor Groups Malware Malware Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government 12 min read Related Products Advanced DNS Security Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Doel Santos Hiroaki Hara Published: March 26, 2026 Categories: Malware Threat Actor Groups Tags: CL-STA-1048 CL-STA-1049 Stately Taurus Trojan Share Executive Summary Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia. Our initial investigation began with tracking Stately Taurus activity between June 1–Aug. 15, 2025. This activity involves USB-propagated malware called USBFect (aka HIUPAN), which deploys a PUBLOAD backdoor. Our investigation led to the discovery of two additional, distinct activity clusters we’re tracking as CL-STA-1048 and CL-STA-1049. The attackers behind CL-STA-1048 used an espionage toolkit comprising several components: EggStremeFuel backdoor Masol remote access Trojan (RAT) EggStreme Loader (which delivered the comprehensive Gorem RAT with keylogging) A simple data theft tool we internally label TrackBak stealer In contrast, CL-STA-1049's operations involved using a novel loader, which we named Hypnosis loader, to deploy the FluffyGh0st RAT payload. These activity clusters overlap with publicly reported campaigns aimed at establishing persistent access. Significant overlap in tactics, techniques and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest, potentially coordinating their effort. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services: Advanced WildFire Advanced URL Filtering and Advanced DNS Security Cortex XDR and XSIAM If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics Malware Threat Groups or Activity Clusters Discussed Cluster Bravo, Cluster Charlie, Crimson Palace, Earth Estries, Stately Taurus, Unfading Sea Haze, CL-STA-1048, CL-STA-1049 Remote Access Trojans Discussed FluffyGh0st, Gh0st, Gorem, Masol Loaders Discussed ClaimLoader, CoolClient, EggStreme, Hypnosis Stealers Discussed TrackBak Backdoors Discussed Backdr-NQ, EggStremeFuel, PUBLOAD, RawCookie Southeast Asian Government Targeting This investigation revealed a persistent espionage campaign targeting a government organization in Southeast Asia. Our analysis identified three distinct clusters of activity in parallel within the victim's network, each with different tools and methods but likely working toward this common objective: Stately Taurus: We attributed one of the activity clusters with high confidence to this threat actor, which leveraged USB-based malware to deploy the PUBLOAD backdoor, a consistent TTP for this group. CL-STA-1048: This cluster includes attacks using a toolkit of espionage payloads, deploying multiple RATs like MasolRAT and the RawCookie backdoor. The use of diverse and sometimes noisy tooling suggests a determined effort to establish a foothold. This activity shows links to publicly reported China-affiliated actors like Earth Estries and those behind the Crimson Palace Campaign. CL-STA-1049: This cluster features stealth and persistence, with attackers using the novel Hypnosis loader to deploy the FluffyGh0st RAT. This activity overlaps with the China-aligned group known as Unfading Sea Haze. The convergence of these three distinct, China-aligned clusters against a single, high-value government target illustrates a complex and well-resourced operation. Figure 1 provides a visual overview of the relationships between these activity clusters, the tools used in the attacks and previously reported threat groups. Figure 1. An overview of the activity clustering. Stately Taurus - PUBLOAD Activity On June 1, 2025, we detected PUBLOAD activity attributed to Stately Taurus across multiple endpoints at a government entity in Southeast Asia. Our investigation found the origin of this activity was likely a USB drive containing USBFect . USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement. This malware's functionality is identical to HIUPAN's, documented by Trend Micro in 2024 . We assess that USBFect and HIUPAN are the same malware family. The USBFect sample analyzed in this activity implemented the following previously observed capabilities: Installing USBFect components onto the infected system Monitoring for removable or hot-pluggable drive insertion Copying USBFect components onto a removable or hot-pluggable drive However, this USBFect sample has an overt PDB filepath: D:\WorkProject\2023\GJ0215\src\USBInfection\sln\USBFect\Release\USBFect.pdb . We found evidence of USBFect infection in multiple agents with the following path: D:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\EVENT.dll . The EVENT.dll file has the following SHA256 hash: 4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92 This malware is a variant of ClaimLoader , which is embedded in the generated drive path and responsible for loading PUBLOAD into memory. We observed this propagation to multiple endpoints until Aug. 15, 2025, at 00:17:15 UTC. Endpoints with PUBLOAD malware also used the following file paths: ProgramData/intel/_/$.ini ProgramData/Intel/_/EVENT.dll ProgramData/intel/_/u2ec.dll ProgramData/intel/_/UsbConfig.exe Libraries\Dialogui\EVENT.dll The malware stages these files to execute and propagate its payload via USB devices. ClaimLoader ClaimLoader ( EVENT.dll ) is a shellcode loader, documented by Japanese IT security company LAC in 2022 , that loads the PUBLOAD backdoor in memory. The sample identified in this activity largely had the same capabilities, but with slight variations. The malware copies its components to a working directory (e.g., C:\Users\Public\Libraries\Dialogui ). These components include: A legitimate parent process ClaimLoader itself The loader then registers the copied legitimate application in a Windows registry autorun key to establish persistence. ClaimLoader then uses an XOR key to decrypt an embedded shellcode payload and executes the shellcode by using the CryptEnumOIDInfo API. This technique, shown below in Figure 2, is similar to the one described in LAC’s report. Figure 2. Shellcode decryption and execution by ClaimLoader. The shellcode is PUBLOAD, first documented by Cisco Talos in 2022 . Variants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP. PUBLOAD encrypts data from the infected host, including: Volume info Computer name Username Tick count The malware accomplishes this by using multiple XOR loops and sends the information with a fake TLS header ( 17 03 03 ) over TCP. Once PUBLOAD receives a response from the C2 server, it decodes and executes the final payload in memory. During our analysis, we did not identify any further stages of tooling. In November 2024, we analyzed similar activity from Stately Taurus, including an identical PUBLOAD sample . This sample maintained consistent configurations and aligned with Trend Micro's research on the group. CoolClient During the same time period, on Aug. 4, 2025, at 08:50:15 UTC, we detected the two suspicious DLL files listed in Table 1 on an agent without PUBLOAD activity. SHA256 File Path 835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3 C:\ProgramData\GoogleUpdate\libvlc.dll 851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f C:\Users\$USER$\AppData\LocalLow\Brother\PrtDrv\sangforvpnlibcrypto-1_1.dll Table 1. CoolClient loader DLL files. Our analysis of the samples revealed they were CoolClient loaders. CoolClient loader is a shellcode loader that heavily implements anti-disassembly techniques. Without countering these techniques, analysis tools can produce incorrectly disassembled code, as shown in Figure 3 below. Figure 3. An incorrectly disassembled CoolClient loader due to anti-disassembly techniques. These DLL files load payloads from an encrypted file located at: c:\programdata\GoogleUpdate\loader.ja We were unable to obtain this file during our investigation. However, it likely overlaps with the loader.ja file reported by Trend Micro that loads the final CoolClient payload. CoolClient was first reported by Sophos in 2022 and observed in Stately Taurus activity by Trend Micro in 2023 . This threat is built on the open-source C++ library HP-Socket to support multiple C2 protocols and a client/server two-way connection. Figure 4 shows HP-Socket's class information embedded in a CoolClient sample. Figure 4. HP-Socket’s class information embedded in CoolClient. CoolClient supports the following capabilities: Uploading and deleting a file Tunneling packets Starting keylogging Sending port map information The lack of arbitrary code execution in CoolClient suggests it is designed as a tunneling tool or stealer that attackers could use to gather information for further lateral movement. CoolClient activity was distinct from PUBLOAD infections. However, we confirmed that the specific anti-disassembly technique used by the CoolClient loader samples we found is identical to that used by USBFect/HIUPAN. This supports our attribution of CoolClient activity to Stately Taurus, suggesting it was another attempt by the group to secure access. CL-STA-1048 - Espionage Toolkit The activity, tracked under CL-STA-1048, deployed a wide variety of tools with similar functionality. This pattern suggests that the threat actor behind CL-STA-1048 actively sought a payload that could bypass XDR. In the process of doing so, they inadvertently exposed a significant portion of their toolkit to our analysis. On Aug. 9, 2025, we observed alerts originating from a Micro