Skip to content
.ca
sign in
7 mincritical

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

Unit 42 identified a coordinated cyberespionage campaign targeting a Southeast Asian government entity, involving three distinct China-aligned threat clusters. The attackers utilized a variety of tools including USB worms, custom loaders, and multiple remote access Trojans (PUBLOAD, Masol, Gorem, FluffyGh0st) to establish persistent access, evade detection via DLL sideloading, and exfiltrate sensitive data.

Conf:highAnalyzed:2026-03-27reports

Authors: Unit 42

ActorsStately TaurusCL-STA-1048CL-STA-1049Earth EstriesCrimson PalaceUnfading Sea HazeMustang PandaEarth Preta
PUBLOADDLL SideloadingStately TaurusFluffyGh0stCyberespionage

Source:Palo Alto Networks

IOCs · 7

Key Takeaways

  • Three distinct China-aligned threat clusters (Stately Taurus, CL-STA-1048, CL-STA-1049) conducted a coordinated cyberespionage campaign against a Southeast Asian government.
  • Stately Taurus utilized the USBFect worm to propagate via removable media and deploy the PUBLOAD backdoor and CoolClient loader.
  • CL-STA-1048 deployed a diverse espionage toolkit including EggStremeFuel, Masol RAT, Gorem RAT, and the TrackBak stealer.
  • CL-STA-1049 used a novel DLL sideloading tool named Hypnosis loader to deploy the FluffyGh0st RAT, patching host process entry points to evade detection.
  • The campaign demonstrated heavy reliance on DLL sideloading of legitimate binaries (e.g., Bitdefender's seccenter.exe) and in-memory execution techniques.

Affected Systems

  • Windows OS
  • Microsoft Edge (mscorsvw.exe)
  • Bitdefender (seccenter.exe)
  • MsMpEng.exe
  • winlogon.exe
  • rundll32.exe

Attack Chain

The campaign began with Stately Taurus using the USBFect worm to propagate via removable drives, dropping the ClaimLoader to execute the PUBLOAD backdoor in memory. Concurrently, CL-STA-1048 deployed a suite of tools including the EggStremeFuel backdoor, Masol RAT, and Gorem RAT, utilizing DLL sideloading and reflective injection into processes like MsMpEng.exe to establish persistence and exfiltrate data. Finally, CL-STA-1049 utilized a novel Hypnosis loader sideloaded via a legitimate Bitdefender executable (seccenter.exe) to deploy the FluffyGh0st RAT, patching the host process entry point with an infinite Sleep loop to evade detection and maintain stealth.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but offers extensive IOCs including file hashes, domains, IPs, and file paths for threat hunting.

Detection Engineering Assessment

EDR Visibility: High — The attackers heavily rely on DLL sideloading, process injection (MsMpEng.exe, winlogon.exe), and dropping files to disk, which are highly visible to modern EDR solutions. Network Visibility: Medium — C2 communications use standard protocols (HTTP, TCP, gRPC) and fake TLS headers, which can blend in with legitimate traffic, though specific domains and IPs are identifiable. Detection Difficulty: Moderate — While the malware uses anti-disassembly and in-memory execution, the reliance on specific file paths, DLL sideloading of known legitimate binaries, and USB propagation provides solid detection opportunities.

Required Log Sources

  • Event ID 1 (Process Creation)
  • Event ID 7 (Image Loaded)
  • Event ID 11 (File Create)
  • Event ID 3 (Network Connection)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Hunt for suspicious DLLs loaded by legitimate Microsoft or Bitdefender binaries (e.g., seccenter.exe, mscorsvw.exe) from unusual directories.Event ID 7 (Image Loaded) combined with Event ID 1 (Process Creation)Execution / PersistenceLow
Look for unexpected file creation events in removable media drives, specifically files named EVENT.dll or hidden directories.Event ID 11 (File Create) on removable drivesInitial Access / Lateral MovementLow
Monitor for processes establishing network connections to unknown external IPs using gRPC or mismatched TLS headers.Network flow logs, Event ID 3 (Network Connection)Command and ControlMedium
Detect anomalous modifications or creations of files in %APPDATA%\Microsoft\Windows\Cookies\ or %LOCALAPPDATA%\Microsoft\Windows\Explorer\thumbcache.dat.Event ID 11 (File Create) and File Modification eventsCollection / Command and ControlLow

Control Gaps

  • USB Device Control
  • Application Control (allowing sideloading)

Key Behavioral Indicators

  • DLL sideloading via seccenter.exe
  • Infinite Sleep loop patching in host processes
  • Fake TLS headers (17 03 03) over TCP
  • CryptEnumOIDInfo API used for shellcode execution

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block all identified C2 domains and IP addresses.
  • Search endpoints for the provided file hashes and file paths.
  • Isolate any systems exhibiting signs of USBFect or PUBLOAD infection.

Infrastructure Hardening

  • Implement strict USB device control policies to prevent unauthorized removable media.
  • Enforce application control to block unauthorized DLLs from loading, even by legitimate applications.

User Protection

  • Deploy and tune EDR to detect DLL sideloading and process injection techniques.
  • Ensure antivirus definitions are updated to catch known variants of PUBLOAD, Masol RAT, and FluffyGh0st.

Security Awareness

  • Train users on the risks of plugging in untrusted USB drives.
  • Educate staff on recognizing signs of unauthorized access or unusual system behavior.

MITRE ATT&CK Mapping

  • T1091 - Replication Through Removable Media
  • T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • T1055.001 - Process Injection: Dynamic-link Library Injection
  • T1056.001 - Input Capture: Keylogging
  • T1140 - Deobfuscate/Decode Files or Information
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1027 - Obfuscated Files or Information

Additional IOCs

  • Ips:
    • 103[.]15[.]29[.]17 - Associated IPv4 address
    • 103[.]131[.]95[.]107 - Associated IPv4 address
    • 103[.]122[.]164[.]106 - Associated IPv4 address
    • 109[.]248[.]24[.]177 - Associated IPv4 address
    • 120[.]89[.]46[.]135 - Associated IPv4 address
    • 58[.]69[.]38[.]83 - EggStremeFuel C2 IP address extracted from configuration
  • Domains:
    • distrilyy[.]net - Associated domain
    • fikksvex[.]com - Associated domain
    • popnike-share[.]com - Associated domain
    • shepinspect[.]com - Associated domain
    • theuklg[.]com - Associated domain
    • webmail[.]homesmountain[.]com - FluffyGh0st C2 server domain
  • File Hashes:
    • 835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3 (SHA256) - CoolClient loader DLL
    • 851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f (SHA256) - CoolClient loader DLL
    • 6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9 (SHA256) - EggStreme loader (XblAuthManagers.dll)
    • 84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9 (SHA256) - TrackBak infostealer
    • c774fd7373084f93383593f0a40f56c8a8b95b73e59cd4fc7117daa6b7441e73 (SHA256) - Likely final payload (bdusersy.dll) for Hypnosis loader
    • 35ca351a831c67f0e0a658a186be0065043e0977cb70771c03a24b0523edcf30 (SHA256) - Malicious DLL masquerading as a log file ($FILE_NAME$.log)
    • 34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2 (SHA256) - FluffyGh0st related DLL
    • f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65 (SHA256) - FluffyGh0st payload
    • 58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8 (SHA256) - FluffyGh0st payload
    • 4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c (SHA256) - FluffyGh0st payload
    • 11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720 (SHA256) - FluffyGh0st payload found in ZIP with Hypnosis loader
  • File Paths:
    • D:\WorkProject\2023\GJ0215\src\USBInfection\sln\USBFect\Release\USBFect.pdb - PDB path found in USBFect sample
    • D:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\EVENT.dll - USBFect infection path on removable media
    • ProgramData\intel\_\$.ini - Staged file for PUBLOAD propagation
    • ProgramData\Intel\_\EVENT.dll - Staged file for PUBLOAD propagation
    • ProgramData\intel\_\u2ec.dll - Staged file for PUBLOAD propagation
    • ProgramData\intel\_\UsbConfig.exe - Staged file for PUBLOAD propagation
    • C:\Users\Public\Libraries\Dialogui\EVENT.dll - Working directory for ClaimLoader
    • C:\ProgramData\GoogleUpdate\libvlc.dll - CoolClient loader DLL path
    • C:\Users\$USER$\AppData\LocalLow\Brother\PrtDrv\sangforvpnlibcrypto-1_1.dll - CoolClient loader DLL path
    • c:\programdata\GoogleUpdate\loader.ja - Encrypted file loaded by CoolClient
    • %APPDATA%\Microsoft\Windows\Cookies\Cookies.dat - Encrypted C2 configuration storage for EggStremeFuel
    • C:\Windows\System32\AxInstSVs.dll - Masol RAT deployment path
    • E:\Masol_https190228\x64\Release\Masol.pdb - PDB path found in Masol RAT
    • C:\Windows\System32\XblAuthManagers.dll - EggStreme loader deployment path
    • %LOCALAPPDATA%\Microsoft\Windows\Explorer\thumbcache.dat - Output file for Gorem RAT keylogger module
    • C:\Program Files\Common Files\Bitdefender\SetupInformation\bdusersy.dll - Likely final payload path for Hypnosis loader
    • C:\Program Files\Common Files\Bitdefender\SetupInformation\$FILE_NAME$.log - Malicious DLL masquerading as a log file

Related