Palo Alto Networks’ Unit 42 researchers have discovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia, using multiple malware families and techniques to maintain long-term access. The investigation began when the researchers examined activity linked to the Stately Taurus group that leveraged USB-based malware called USBFect, aka HIUPAN.
USBFect spreads through removable drives such as USB devices. Once inside a system, it installs its components, monitors for new removable drives, and copies itself onto them to continue spreading. It uses a loader called ClaimLoader to inject the PUBLOAD backdoor directly into memory. PUBLOAD communicates with command-and-control servers, receives encoded instructions, and executes them in memory without writing files to disk.
During the same period, researchers discovered two additional activity clusters, named CL-STA-1048 and CL-STA-1049. Both clusters used different malware tools but had similar goals of gaining and keeping access to the target network.
Researchers detected malicious DLL files linked to the CoolClient loader. The loader uses anti-disassembly techniques to make analysis harder and is built on the HP-Socket C++ library, allowing it to support multiple communication protocols. Its limited execution features suggest it is used mainly for tunneling or collecting information before further attacks.
“CoolClient activity was distinct from PUBLOAD infections. However, we confirmed that the specific anti-disassembly technique used by the CoolClient loader samples we found is identical to that used by USBFect/HIUPAN. This supports our attribution of CoolClient activity to Stately Taurus, suggesting it was another attempt by the group to secure access,” the report noted.
The CL-STA-1048 cluster used a wide range of tools, likely to avoid detection by security systems. One of them was EggStremeFuel, a lightweight TCP-based backdoor written in C. Attackers also deployed Masol RAT, an HTTP-based remote access trojan, along with EggStreme Loader. The latter uses tools like DarkLoadLibrary and libpeconv to run the Gorem RAT entirely in memory, including keylogging functions.
About 40 minutes after deploying Masol RAT, researchers observed another tool called TrackBak, disguised as a Microsoft Edge log file. TrackBak is a data-stealing tool that records keystrokes, collects clipboard data, gathers network information, and extracts files from infected systems.
In the CL-STA-1049 cluster, attackers used a novel Hypnosis loader to install the FluffyGh0st RAT.
“There are a number of links between CL-STA-1048 and China-affiliated activity. In particular, the use of both Masol RAT and EggStreme was publicly reported in relation to China-affiliated activity, such as Crimson Palace and Earth Estries,” the researchers said. “Chinese threat groups often share tooling, as well as tactics, techniques and procedures (TTPs) with each other. As such, we cannot state with certainty whether these public reports relate to the same group.”