China-linked Cyber Campaign Targets Southeast Asian Government

Severity: High (Score: 72.5)

Sources: Scworld, Securityaffairs.Co

Summary

In 2025, multiple China-linked threat groups executed a sophisticated cyber campaign against a Southeast Asian government, utilizing various malware families to achieve persistent access and exfiltrate sensitive data. The operation involved three distinct clusters: Mustang Panda, CL-STA-1048, and CL-STA-1049, each employing advanced techniques and a range of malware including HIUPAN, PUBLOAD, and FluffyGh0st. Mustang Panda notably used the USBFect worm for propagation via infected USB drives, facilitating lateral movement and data theft. The campaign spanned from March to September 2025, indicating a well-coordinated effort with significant resources. The impact of the attack remains under assessment, but the sophisticated nature of the operation suggests a serious breach of security for the affected government. Key Points: • China-linked groups executed a complex cyber campaign against a Southeast Asian government in 2025. • The operation involved three clusters and multiple malware families, including PUBLOAD and FluffyGh0st. • Mustang Panda utilized the USBFect worm for malware propagation and data exfiltration.

Key Entities

• Crimson Palace (apt_group)
• Earth Estries (apt_group)
• Mustang Panda (apt_group)
• Unfading Sea Haze (apt_group)
• Data Breach (attack_type)
• Malware (attack_type)
• China (country)
• Government (industry)
• EggStremeFuel (malware)
• EggStremeFuel/Loader (malware)
• FluffyGh0st (malware)
• Hiupan (malware)
• Hypnosis Loader (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1091 - Replication Through Removable Media (mitre_attack)