China-Linked APT Clusters Target SE Asian Government via HIUPAN

A highly coordinated cyber espionage campaign targeted a government organization in Southeast Asia throughout 2025. This operation involved three distinct activity clusters, all of which exhibit alignment with Chinese state-sponsored APT groups. According to The Hacker News, the operation is characterized by its technical complexity and the breadth of the malware arsenal deployed against the target. The presence of multiple clusters indicates a well-resourced effort, possibly involving shared resources or collaborative targeting typical of contemporary Chinese TTP development.

Analysis of China-linked APT clusters targeting Southeast Asian government

The campaign is structured around three primary clusters that utilized a variety of specialized malware families to maintain persistence and facilitate data exfiltration. The first cluster focused heavily on initial access and internal propagation through the use of HIUPAN, a malware family also known as USBFect, MISTCLOAK, or U2DiskWatch. This specific tool is designed to spread via removable media, allowing attackers to jump across air-gapped or restricted network segments. To successfully defend against this vector, SOC teams must be able to detect HIUPAN malware USB propagation by monitoring for unusual file creation on removable drives and unauthorized execution of binary files from external devices.

The second cluster employed PUBLOAD and MASOL. PUBLOAD is a sophisticated stager frequently observed in regional espionage campaigns, often used to download and execute secondary payloads. MASOL functions as a loader, providing the attackers with a modular framework to deploy additional tools based on the specific environment of the compromised host. The interaction between these clusters suggests a multi-stage Lateral Movement strategy where initial footholds are established by one cluster and then handed off to others for deeper exploitation.

EggStremeFuel malware analysis and mitigation

The third cluster introduced more specialized payloads, specifically EggStremeFuel (also known as RawCookie) and EggStremeLoader (referred to as Gorem RAT). These tools are engineered to establish long-term C2 communication and provide the attackers with interactive remote access. EggStremeFuel acts as a flexible backdoor, allowing for the execution of arbitrary commands and the exfiltration of sensitive government documents.

Defenders should map these activities against the MITRE ATT&CK framework, specifically focusing on the use of valid accounts and custom loaders for persistence. Detection strategies for EggStremeLoader require monitoring for anomalous network beacons and the presence of unauthorized services that do not align with standard administrative operations.

Actionable Recommendations

To counter these sophisticated threats, organizations must move beyond traditional signature-based defenses and adopt a Zero Trust architecture that limits the impact of a single compromised host. The use of USB-based spreading by HIUPAN underscores the necessity of hardware-level controls and the disabling of AutoRun features across all workstations.

• Deploy advanced EDR solutions to monitor for the process-injection techniques used by MASOL and EggStremeLoader.
• Implement strict application whitelisting to prevent the execution of unrecognized binaries from temporary directories or removable media.
• Segment internal networks to prevent the rapid lateral spread of PUBLOAD-based stagers.
• Audit all administrative accounts to ensure that nation-state actors cannot leverage existing credentials for persistent access.