Hackers Use USB Malware, RATs, and Stealers in Espionage Attacks on Southeast Asian Government

A highly coordinated cyberespionage campaign has been uncovered targeting a government organization in Southeast Asia, with threat actors deploying a mix of USB-propagated malware, remote access trojans (RATs), and data stealers to secure long-term access to sensitive government systems.

The operation, active between June and August 2025, involved three separate clusters of activity running simultaneously inside the same victim’s network, all bearing notably strong connections to China-aligned threat groups.

The three clusters each used a different set of tools but appeared to be working toward the same goal.

The first was attributed to Stately Taurus, a well-known threat actor that used a USB worm called USBFect — also identified as HIUPAN — to push the PUBLOAD backdoor across government endpoints.

The second cluster, tracked as CL-STA-1048, came with a broader espionage toolkit that included the EggStremeFuel backdoor, the Masol RAT, the EggStreme Loader, the Gorem RAT, and a data theft tool called TrackBak.

The third cluster, CL-STA-1049, took a stealthier path, using a newly identified loader called Hypnosis to quietly deploy the FluffyGh0st RAT.

Unit 42 researchers identified all three clusters operating at the same time within the same victim environment and noted that despite using entirely different tools, each group was pursuing persistent access to the same high-value government target.

This provides a visual overview of how these clusters relate to one another, the tools each of them deployed, and their ties to previously reported threat groups.

The convergence of three China-aligned clusters against a single target signals a well-resourced and organized operation.

CL-STA-1048 shows clear links to Earth Estries and the Crimson Palace campaign, while CL-STA-1049 overlaps significantly with the group known as Unfading Sea Haze.

Together, these connections suggest that loosely coordinated threat actors may be sharing targets, infrastructure, or strategic direction — all toward the shared objective of gathering long-term intelligence from Southeast Asian government operations.

The damage potential of this campaign extends well beyond simple data theft. The attackers layered in keyloggers, clipboard stealers, file collectors, and reverse shells, giving them wide visibility into government activity.

TrackBak, the infostealer deployed by CL-STA-1048, disguised itself as a Microsoft Edge log file while silently collecting keystrokes, clipboard contents, network data, and files from connected drives.

With this level of persistent access, the attackers could map internal systems, monitor communications, and locate sensitive materials over an extended period without raising obvious flags.

USB-Based Infection: How USBFect Spread PUBLOAD

The most distinctive attack vector in this campaign was the use of a USB worm to move silently across connected government systems.

USBFect works by monitoring for any newly inserted removable drive and then automatically copying its components onto that drive to spread to the next connected machine.

Once installed, it stages files under paths that closely mimic legitimate Windows and Intel directories — including ProgramData/Intel/_/EVENT.dll and ProgramData/intel/_/UsbConfig.exe — making early detection considerably difficult for defenders reviewing file system activity.

Embedded within USBFect is a shellcode loader called ClaimLoader, dropped as a DLL file named EVENT.dll (SHA256: 4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92).

ClaimLoader uses an XOR key to decrypt a hidden shellcode payload and then runs it through the CryptEnumOIDInfo API callback — a technique specifically chosen to slip past common security tools.

This shows how this decryption and execution chain works in practice. The shellcode is PUBLOAD, a backdoor that connects to its command-and-control server over TCP while disguising its traffic with a fake TLS header (17 03 03) to blend in with normal network flow.

Once connected, PUBLOAD quietly gathers system information including the computer name, username, and volume details, and sends it back encrypted to the attacker.

Organizations handling sensitive government data should disable AutoRun for removable storage devices, enforce strict USB access policies, and actively monitor for unusual DLL loading in directories that impersonate legitimate system paths.

Applying behavioral detection to flag in-memory shellcode execution and maintaining updated endpoint telemetry remain practical steps toward catching these threats before they can fully deliver their payloads.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use USB Malware, RATs, and Stealers in Espionage Attacks on Southeast Asian Government appeared first on Cyber Security News.