Researchers Uncover Southeast Asia Government Cyberespionage Campaign

Unit 42 researchers uncovered a persistent cyberespionage campaign targeting a government organization in Southeast Asia between June 1 and Aug. 15, 2025. Analysts identified USBFect (aka HIUPAN) USB-propagated malware deploying the PUBLOAD backdoor, plus two distinct clusters CL-STA-1048 (EggStremeFuel, Masol, Gorem, TrackBak) and CL-STA-1049 (Hypnosis loader deploying FluffyGh0st). Overlaps with China-aligned groups suggest coordinated efforts and persistent access.
Key Points
- 1Detect USBFect worm spreading via removable media and deploying PUBLOAD backdoor between June 1–Aug 15, 2025
- 2Show ties between CL-STA-1048/1049 and China-aligned groups, indicating coordinated espionage targeting government networks
- 3Recommend defenders prioritize USB autorun monitoring, shellcode loader detection, and indicators like PUBLOAD SHA256
Scoring Rationale
Detailed, timely Unit 42 threat analysis with actionable indicators; scope limited to a specific Southeast Asian government target.
Sources
Public references used for this report.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems
