Three groups of threat actors linked to China have gone after a government agency in Southeast Asia This article explores clusters threat group. . HIUPAN, PUBLOAD, EggStremeFuel, TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st are just some of the malware families that have been used in the campaigns.

The following clusters are responsible for the activity: Mustang Panda (also known as Stately Taurus) from June to August 2025. CL-STA-1048, which is part of the Earth Estries and Crimson Palace clusters, will be active from March to September 2025. April and August 2025: CL-STA-1049, which is part of a publicly known cluster called Unfading Sea Haze.

"Significant overlap in tactics, techniques, and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest," Palo Alto Networks Unit 42 researchers said in a blog post on Monday. Researchers said that the attackers' methods show that they wanted to get long-term, permanent access to sensitive government networks, not just cause problems. Unit 42 said, "The convergence of these activity clusters points to a coordinated effort to achieve a common strategic goal."

They also said that it's not clear what the threat groups used to get into the attacks in the first place. The first time the threat actor used Claimloader was in late 2022, when they attacked government organizations in the Philippines.

It lets you download and upload files, record keystrokes, tunnel packets, and get information about port maps.