Unit 42 exposed a large, persistent cyberespionage campaign targeting a high-value Southeast Asian government organization, operated by three concurrent activity clusters linked to China-aligned threat actors. The clusters used USBFect/PUBLOAD via infected removable media, a multi-payload toolkit including EggStremeFuel and Masol/Gorem/TrackBak, and the Hypnosis loader delivering FluffyGh0st to maintain stealthy, long-term data exfiltration. #USBFect #PUBLOAD #FluffyGh0st #StatelyTaurus
Keypoints
- Unit 42 identified a sustained, well-resourced cyberespionage campaign against a Southeast Asian government target.
- The operation consisted of three parallel clusters that ensured persistence if one access vector was closed.
- Stately Taurus used infected USB drives and the USBFect (HIUPAN) worm to deploy the PUBLOAD backdoor and exfiltrate data with a fake TLS header.
- CL-STA-1048 deployed diverse tooling—EggStremeFuel, Masol RAT, Gorem RAT, and TrackBak—to bypass XDR and establish footholds.
- CL-STA-1049 used the Hypnosis DLL side-loading technique against a Bitdefender executable to quietly deploy the FluffyGh0st RAT for stealthy persistence.
Read More: https://securityonline.info/stately-taurus-southeast-asia-cyberespionage-three-clusters-unit-42/