Persistent and coordinated threat: clusters targeted at government networks in South-East Asia

The recent security research published by Palo Alto Networks Unit 42 describes a sophisticated and sustained campaign directed against a government institution in South-East Asia, and puts on the table a disturbing fact: multiple clusters of activity, with links to actors aligned with China, acted simultaneously or overlap with objectives that seem to converge in obtaining long-term access to sensitive networks.

According to analysts Doel Santos and Hiroaki Hara of Unit 42, three main groups were identified that operated in different periods of 2025 and that, although they did not always use the same tools, showed a "significant match in tactics, techniques and procedures" that suggests coordination or common strategic interests. These groups include the one known as Mustang Panda, active between June and August 2025, and two clusters called internally CL-STA-1048 (with publicly documented overlaps in campaigns called Earth Estries and Crimson Palace) and CL-STA-1049 (which has shown a relationship to what has been reported as Unfading Sea Haze). For those who want to consult the original source, the work of Unit 42 is available on the site of Palo Alto Networks: https: / / unit42.paloaltonetworks.com /.

The attacks deployed a variety of malware families with long-term intrusion-oriented features: from loaders that take advantage of USB devices to loaders that work through DLL side-loading; from backdoors with wide remote management capabilities to "stealers" specialized in collecting credentials and user artifacts. Among the tools mentioned by researchers are HIUPAN (also known as USBFect or U2DiskWatch), which has been used to start infections via USB drives and facilitate the delivery of PULLOAD backdoor by means of a malicious DLL called Caimloader. Mustang Panda also used backdoors such as COOLCLIENT, which allows file transfer, press recording and traffic tunelization, capabilities that persist in time and facilitate lateral movement.

The CL-STA-1048 cluster, on the other hand, used components of the EggStreme family, such as EggStremeFuel - a light backdoor with file transfer, system listing and reverse shells execution functions - and EggStremeLoader, which extends these capabilities by admitting dozens of remote commands to exfilter data. Together with them, remote-access Trojans such as MASOL RAT (Backdr-NQ) and information theft utilities such as TrackBak were detected, capable of collecting records, clipboard data, network information and files stored on disks. These parts, combined, allow both the mass collection of information and the permanent management of the committed equipment.

In the case of CL-STA-1049, attackers used a new DLL charger called Hypnosis Loader, which is activated by DLL side-loading techniques to finally deploy FluffyGh0st RAT. The use of side-rolling and physical vectors such as USB highlights the mix of classic and new techniques: while some intrusions are based on social engineering and the abuse of legitimate operating system functionalities, others resort to off-line media to skip perimeter controls.

Beyond the names and technical components, what makes this campaign particularly concerned is its apparent purpose: it was not a matter of timely sabotage, but of establishing and maintaining persistent access in government networks, which allows for continued monitoring, exfiltration of sensitive information and the ability to regroup or reactivate operations in the future. This feature fits with activity patterns observed in state-sponsored operations, which prioritize long-term control over immediate interruption. Those who want to deepen in the broader context of state threats and their tactics can review reference resources such as MITRE ATT & CK in https: / / attack.mitre.org / and the analysis of sponsored actors published by response teams and threats in cybersecurity companies and software manufacturers.

For organizations that manage critical networks, the lesson is twofold: first, the defense must contemplate physical vectors that are difficult to mitigate as infiltrated USB devices, so clear policies on removable devices, self-control and physical inspection procedures are basic. Second, you have to assume that attackers will try to establish persistence using legitimate system mechanisms - such as DLL side-rolling or authorized services - and therefore detection requires rich telemetry, event correlation and proactive search for anomalies. Add strong authentication, network segmentation, strict privilege control and verified backup reduces impact surface and accelerates recovery.

This research also highlights the importance of sharing intelligence and collaboration between local teams, security providers and national agencies. The techniques and tools Unit 42 has detailed can help incident response teams identify similar engagement indicators and behaviour patterns on other networks. For practical guidelines on detection and response to persistent threats, the United States Infrastructure Security Agency (CISA) and large security providers publish guides and notices that can be consulted at https: / / www.cisa.gov / and in corporate security blog, such as Microsoft's https: / / www.microsoft.com / security / blog /.

In short, the case described by Unit 42 illustrates how actors with broad resources and strategic objectives use a diversified set of tools and techniques to infiltrate and remain within government networks. The convergence of several clusters with technical and temporary overlaps points to a coordinated effort to maintain continuous monitoring and access, not to isolated operations aimed only at timely damage. Staying alert, updating defenses and sharing intelligence are essential steps to reduce the exposure window against these campaigns.