A recent investigation uncovered a highly coordinated cyber espionage operation aimed at a government organization in Southeast Asia. The activity, observed between June and August 2025, reveals a multi-layered attack involving different threat clusters operating simultaneously within the same network.
The attackers relied on a mix of USB-based malware propagation, stealth loaders, and multiple Remote Access Trojans (RATs) to gain long-term access. Their approach clearly indicates a strategic objective: maintaining persistence and continuously extracting sensitive information rather than causing immediate disruption.
Campaign Overview
The investigation identified three separate but overlapping activity clusters:
- Stately Taurus
- CL-STA-1048
- CL-STA-1049
Each cluster used different techniques and malware families, yet all appeared to target the same organization with a shared objective. The overlap in tactics suggests coordination or at least shared intelligence among threat actors.
The attack demonstrates a sophisticated level of planning, combining persistence mechanisms, stealth techniques, and multiple fallback tools to ensure continued access.
Stately Taurus Activity: USB-Based Infection Chain
The first cluster, attributed to Stately Taurus, relied heavily on USB-based malware known as USBFect (HIUPAN).
This malware spreads through removable drives and installs a loader called ClaimLoader, which deploys the PUBLOAD backdoor directly into memory.
Key Capabilities
- Automatic propagation through USB devices
- Monitoring for new removable drives
- Self-replication across systems
- In-memory payload execution
A notable artifact from this infection includes:
SHA256:
4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92
Execution Flow
- USB device infects host system
- ClaimLoader decrypts shellcode using XOR
- PUBLOAD executes in memory
- Data is collected and sent to command-and-control (C2) servers
The malware transmits system data such as hostname, username, and system uptime using encrypted TCP communication disguised as TLS traffic.
CoolClient: Secondary Access Tool
Alongside PUBLOAD, researchers identified CoolClient, a lesser-known loader with anti-analysis techniques.
Observed File Paths
C:\ProgramData\GoogleUpdate\libvlc.dll
C:\Users\$USER$\AppData\LocalLow\Brother\PrtDrv\sangforvpnlibcrypto-1_1.dll
Capabilities
- File upload and deletion
- Network tunneling
- Keylogging
- Port mapping
CoolClient appears to function as a support tool for lateral movement rather than a full-featured backdoor.
CL-STA-1048: Multi-Tool Espionage Framework
This cluster demonstrated a more aggressive approach by deploying multiple malware families simultaneously.
Key Components
- EggStremeFuel backdoor
- Masol RAT
- EggStreme Loader (Gorem RAT)
- TrackBak infostealer
EggStremeFuel
A lightweight TCP backdoor that stores encrypted configuration data and communicates using RC4 encryption.
Example C2 configuration: dm:laichingte[.]net##ip:58.69.38[.]83##
Masol RAT
A Windows-based backdoor that communicates over HTTP using AES encryption.
Capabilities include:
- Command execution
- File transfer
- Configuration updates
Gorem RAT (via EggStreme Loader)
This advanced RAT supports over 50 commands and includes:
- Keylogging
- Clipboard monitoring
- Network tracking
- Dropbox-based data exfiltration
TrackBak Stealer
Designed for silent data theft, TrackBak collects:
- Keystrokes
- Clipboard content
- Files from drives
- Network details
This cluster reflects persistence through redundancy—if one payload fails, another takes over.
CL-STA-1049: Stealth Operations with Hypnosis Loader
The third cluster focused on stealth and evasion.
Attackers used a custom loader named Hypnosis to deploy FluffyGh0st RAT, a modified version of Gh0st RAT.
Infection Method
- DLL sideloading via legitimate executable (
seccenter.exe) - Execution hijacking using patched entry points
- Payload decryption using RC4
Key Files
C:\Program Files\Common Files\Bitdefender\SetupInformation\version.dll
C:\Program Files\Common Files\Bitdefender\SetupInformation\bdusersy.dll
C2 Communication
webmail.rpcthai[.]com
webmail.homesmountain[.]com
FluffyGh0st Capabilities
- Remote system control
- Plugin-based modular execution
- Encrypted communication (RC4 + LZNT1 compression)
This cluster emphasizes stealth, persistence, and modular expansion.
Attribution Analysis
While direct attribution remains uncertain, several indicators suggest links to China-aligned threat actors:
- Shared malware families across campaigns
- Similar TTPs with known operations
- Overlap with previously documented campaigns
However, the reuse of tools across groups makes definitive attribution difficult.
Our Analysis and Opinion
This campaign highlights how modern cyber espionage has evolved into a multi-layered and highly persistent operation. What stands out is not just the variety of tools used, but the strategy behind their deployment. Instead of relying on a single payload, the attackers used overlapping techniques, ensuring that even if one method failed, others could maintain access.
The use of USB propagation is particularly interesting because it bypasses traditional network-based defenses. At the same time, stealth loaders like Hypnosis show a clear focus on evasion and long-term persistence. This combination of old-school techniques with modern malware engineering reflects a mature and well-funded threat actor.
Another important takeaway is the level of coordination. Even though the clusters appear separate, their shared objectives and overlapping tools suggest a broader ecosystem of threat actors working toward similar goals.
From a defensive perspective, this case reinforces the importance of layered security, endpoint monitoring, and strict control over removable media. Organizations should also focus on behavioral detection rather than relying only on signatures, as many of these tools are designed to evade traditional detection methods.
Conclusion
This operation is a strong example of how advanced threat actors operate today. It combines persistence, stealth, and adaptability, making detection and response significantly more challenging.
Organizations, especially government entities, must assume that attackers are not just trying to get in—but to stay in for as long as possible.
