This investigation revealed a persistent espionage campaign targeting a government organization in Southeast Asia. Our analysis identified three distinct clusters of activity in parallel within the victim's network, each with different tools and methods but likely working toward this common objective: Stately Taurus: We attributed one of the activity clusters with high confidence to this threat actor, which leveraged USB-based malware to deploy the PUBLOAD backdoor, a consistent TTP for this group. CL-STA-1048: This cluster includes attacks using a toolkit of espionage payloads, deploying multiple RATs like MasolRAT and the RawCookie backdoor. The use of diverse and sometimes noisy tooling suggests a determined effort to establish a foothold. This activity shows links to publicly reported China-affiliated actors like Earth Estries and those behind the Crimson Palace Campaign. CL-STA-1049: This cluster features stealth and persistence, with attackers using the novel Hypnosis loader to deploy the FluffyGh0st RAT. This activity overlaps with the China-aligned group known as Unfading Sea Haze. The convergence of these three distinct, China-aligned clusters against a single, high-value government target illustrates a complex and well-resourced operation.
| Vendor | Product | Versions |
|---|---|---|
| Palo Alto Networks | Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR, XSIAM | — |
Updated description with detailed technical information, added vendor Palo Alto Networks, product details, and marked the severity as HIGH with exploit availability confirmed.
Initial creation
