Hackers Deploy USB Malware, RATs, and Stealers in Southeast Asian Government Attacks

A multi-cluster cyberespionage operation in which attackers used USB-propagated malware, multiple RATs, loaders, and a custom stealer to target a Southeast Asian government organization between June and August 2025.

Analysts initially observed USB-borne malware dubbed USBFect (also known as HIUPAN), which spreads through removable drives and deploys the PUBLOAD backdoor for lateral movement.

Further telemetry revealed two additional, distinct activity clusters, labeled CL-STA-1048 and CL-STA-1049, operating in parallel against the same victim.

The three clusters share overlapping tactics, techniques, and procedures for public reporting on China-aligned threat activity, including Crimson Palace, Earth Estries, and Unfading Sea Haze, suggesting a common strategic interest and possible coordination among the operators.

Unit 42’s investigation started by tracking activity linked to Stately Taurus from June 1 to Aug. 15, 2025, inside a Southeast Asian government network.

Rather than causing disruption, the attackers appeared focused on long-term access and intelligence collection across the government environment.

USBFect and PUBLOAD

The Stately Taurus-linked cluster relied on USBFect to move across endpoints via infected USB media and stage components on disk.

USBFect installs its modules, monitors for new removable or hot‑pluggable drives and copies itself to those devices, behavior that matches earlier descriptions of the HIUPAN family.

Once present, USBFect loads ClaimLoader, a shellcode loader that decrypts and executes the PUBLOAD backdoor in memory to establish command-and-control over TCP.

Shellcode decryption and execution by ClaimLoader (Source : Unit42).
Shellcode decryption and execution by ClaimLoader (Source : Unit42).

On compromised systems, PUBLOAD encrypts host information such as volume data, computer name and username using XOR loops before sending it to its C2 with a fake TLS header.

Stately Taurus activity in the same environment also included CoolClient, a tunneling- and stealing-oriented tool that uses heavy anti-disassembly to hide shellcode loaders and supports capabilities such as file upload, deletion, tunneling and keylogging.

Researchers note that specific anti-disassembly techniques in CoolClient match those seen in USBFect/HIUPAN, strengthening the attribution to Stately Taurus.

The open-source C++ library HP-Socket to support multiple C2 protocols and a client/server two-way connection.

HP-Socket’s class information embedded in CoolClient (Source : Unit42).
HP-Socket’s class information embedded in CoolClient (Source : Unit42).

The CL-STA-1048 cluster deployed an espionage toolkit designed to test multiple payloads and evade detection, likely in an effort to bypass XDR defenses.

Unit 42 observed a lightweight TCP backdoor called EggStremeFuel injected via mscorsvw.exe, which stores its RC4-encrypted configuration in a browser cookies file and supports commands for file operations, reverse shells and dynamic C2 updates.

Roughly 20 minutes later, Masol RAT appeared on the same host as a Windows service DLL, communicating over AES-encrypted HTTP POST and supporting arbitrary command execution and file transfers.

The cluster also dropped TrackBak, a simple infostealer masquerading as a Microsoft Edge log that collects keystrokes, clipboard contents, network details and files from attached drives.

Masol and EggStreme tooling have both been previously tied to China-affiliated campaigns such as Earth Estries and Crimson Palace, and Masol shares code-level overlaps with the Backdr-NQ Linux backdoor.

In parallel, EggStreme Loader executed, a multi-layer loader that uses DarkLoadLibrary and libpeconv to reflectively load Gorem RAT in memory, along with a keylogger that records keystrokes, window titles and clipboard data to a local cache file.

 An overview of EggStreme Loader’s execution flow (Source : Unit42).
 An overview of EggStreme Loader’s execution flow (Source : Unit42).

These technical links, along with the chosen victimology, strengthen the assessment that CL-STA-1048 is operated by or on behalf of a China-aligned espionage actor.

Hypnosis Loader and FluffyGh0st

A third cluster, CL-STA-1049, focused on stealthy DLL sideloading to deploy FluffyGh0st RAT. Beginning Aug. 1, 2025, Unit 42 observed a malicious DLL named Hypnosis loader being sideloaded by a legitimate Bitdefender executable (seccenter.exe) from the security product’s installation directory.

 Disassembled instructions showing the patched DLL host process code (Source : Unit42).
Disassembled instructions showing the patched DLL host process code (Source : Unit42).

To avoid crashing the host process, Hypnosis proxies exports to the genuine system version.dll, then patches the process entry point to an infinite sleep loop while a new thread decrypts and loads the final payload bdusersy.dll via LoadLibrary.

Telemetry showed bdusersy.dll communicating with infrastructure hosted on a hijacked Thai corporate domain, and related samples and imphash links associated this payload with FluffyGh0st.

FluffyGh0st is a customized variant of the public Gh0st RAT family, previously attributed by Bitdefender to the China-aligned group Unfading Sea Haze and also observed in Crimson Palace Cluster Bravo activity.

It provides remote control of infected systems and can extend its functionality through RC4-encrypted, LZNT1-compressed plugins retrieved from its C2 servers.

Palo Alto Networks notes that customers can detect and block much of this activity through security services such as Advanced WildFire for malware analysis, Advanced URL Filtering and Advanced DNS Security for C2 disruption, and the Cortex XDR and XSIAM platforms for unified detection and response.

Organizations in government and other high-value sectors in Southeast Asia should review USB usage policies, DLL sideloading exposure and EDR coverage for unusual loaders, RATs and infostealers consistent with these TTPs.

Related Articles

Back to top button