Three Chinese-aligned threat groups launched a sophisticated, well-funded campaign against a government entity in Southeast Asia throughout much of 2025. This coordinated effort utilized an extensive array of custom malware and remote access trojans to infiltrate and maintain control over the target's infrastructure.
A series of highly coordinated cyber operations targeted a Southeast Asian government body throughout 2025, involving three distinct activity clusters linked to Chinese interests. Security researchers characterized the intrusion as a complex and well-resourced initiative designed for long-term persistence and data collection. The multi-pronged approach suggests a high level of strategic intent and resource allocation directed at the regional organization.
The first phase of the operation was dominated by the group known as Mustang Panda, which focused its efforts between June and August 2025. This cluster is recognized for its consistent targeting of government entities across the region. During this period, the attackers deployed various tools to establish a foothold and begin the process of exfiltrating sensitive information from the organization's network.
Simultaneously, a second cluster identified as CL-STA-1048 operated from March through September 2025. This group shares significant characteristics with publicly tracked entities often called Earth Estries or Crimson Palace. Their involvement expanded the scope of the breach, utilizing a diverse set of malware families such as MASOL RAT and TrackBak Stealer to monitor internal communications and harvest credentials.
The third cluster, designated as CL-STA-1049 and overlapping with the Unfading Sea Haze moniker, was active during peak periods in April and August 2025. The interplay between these three groups resulted in a saturated environment where multiple malware families, including USBFect and RawCookie, were deployed across the victim’s systems. The use of varied loaders and stealers ensured that if one method of access was discovered, others remained operational.
By utilizing such a vast repertoire of malicious software, the actors demonstrated a capability to adapt to defensive measures and maintain a constant presence. The overlapping timelines and shared objectives of these clusters highlight the persistent nature of the threat landscape facing Southeast Asian government institutions. This operation underscores the necessity for robust, multi-layered cybersecurity defenses to counter such determined and well-funded adversaries.
Source: https://advisories.checkpoint.com/defense/advisories/public/2018/cpai-2018-0711.html/