What are threat activity clusters?

Threat activity clusters are collections of cyber intrusions, tools, and infrastructure that share common characteristics, suggesting they are operated by a single threat actor or a coordinated group. Security researchers use clusters like Velvet Ant and Smoky Lynx to track adversary campaigns even before they can be attributed to a named APT group.

Why are Southeast Asian governments frequent targets for cyber espionage?

Southeast Asia is a region of immense geopolitical and economic importance. Nations there are involved in territorial disputes (e.g., the South China Sea), are key partners in global trade, and are central to initiatives like China's Belt and Road. Intelligence from their governments provides a strategic advantage in diplomacy, military planning, and economic competition.

What makes the HIUPAN (USBFect) malware dangerous?

HIUPAN is a worm that spreads via USB drives. Its primary danger lies in its ability to compromise systems that are not directly connected to the internet, a technique known as 'air-gap jumping.' This makes it highly effective for infiltrating secure, segmented government or industrial networks.

How can an organization defend against a multi-cluster attack?

Defending against coordinated attacks requires a multi-layered security approach, often called 'defense-in-depth.' This includes technical controls like network segmentation and endpoint detection, administrative controls like strict USB policies, and proactive measures like integrating threat intelligence and continuous employee training.

Three China-linked clusters target Southeast Asian government in 2025 cyber campaign

Introduction

A sophisticated, year-long cyber espionage campaign targeting a government organization in Southeast Asia has been attributed to three distinct but coordinated threat clusters aligned with the People's Republic of China. The operation, active throughout 2025 and detailed in a March 2026 report from Palo Alto Networks Unit 42, demonstrates a high level of resourcefulness and strategic intent. By deploying a diverse arsenal of custom malware, the attackers achieved deep, persistent access, aiming to exfiltrate sensitive state secrets.

Researchers at Unit 42 have labeled the three activity clusters as Velvet Ant, Smoky Lynx, and Gilded Cat. Their coordinated actions point to a well-orchestrated state-sponsored intelligence-gathering effort, underscoring the persistent cyber threats facing nations in geopolitically sensitive regions.

Technical analysis: A multi-pronged assault

The campaign's success relied on a multi-phase approach, with each threat cluster appearing to handle specific aspects of the attack lifecycle. This division of labor makes attribution more complex and defense significantly more difficult, as security teams must contend with multiple sets of tactics, techniques, and procedures (TTPs) simultaneously.

The Actors and Their Tools

The operation was not the work of a single group but a coalition of actors using a shared or complementary toolkit. This structure allows for specialization and resilience, ensuring the campaign can continue even if one cluster's activities are detected.

Velvet Ant: This cluster was responsible for initial access and establishing a foothold. Its primary tools included HIUPAN and PUBLOAD malware. The use of HIUPAN, a known USB-borne threat, suggests a focus on compromising systems through removable media. This is a potent vector for reaching networks that may be segmented or air-gapped from the public internet. PUBLOAD likely served as a first-stage loader, designed to download more capable malware once inside the network.
Smoky Lynx: Once initial access was gained, Smoky Lynx took over for post-compromise activities. This cluster deployed EggStremeFuel (also known as RawCookie) and EggStremeLoader (Gorem RAT). EggStremeLoader is a full-featured Remote Access Trojan (RAT), giving attackers complete control over an infected machine. Its capabilities include executing commands, logging keystrokes, capturing screenshots, and exfiltrating files. EggStremeFuel likely acted as a specialized reconnaissance tool, gathering credentials and system information to facilitate lateral movement.
Gilded Cat: The role of Gilded Cat appears more specialized, focused on deploying the MASOL backdoor. This malware could have been used for maintaining long-term persistence, moving laterally to other high-value systems, or targeting specific datasets within the compromised government network.

A Diverse Malware Arsenal

The malware families deployed in this campaign are a mix of established and custom tools, indicative of a well-resourced adversary.

HIUPAN (aka USBFect): A worm that spreads through USB drives. It typically copies itself to removable media and creates autorun files to execute when the device is connected to a new computer. Its primary function is to bridge air gaps and spread infection internally.
PUBLOAD: A lightweight downloader used to establish a connection with a command-and-control (C2) server and pull down second-stage payloads like a RAT.
EggStremeLoader (aka Gorem RAT): The campaign's primary espionage tool. As a RAT, it provides attackers with hands-on-keyboard access to compromised systems, allowing them to explore the network, identify valuable data, and exfiltrate it covertly.
EggStremeFuel & MASOL: These appear to be supporting backdoors and information stealers, providing redundancy and specialized capabilities for data collection and maintaining access.

While the initial access vector was not definitively confirmed in public reporting, the presence of HIUPAN points strongly to the use of infected USB drives. Other common vectors for such groups include spear-phishing emails with malicious attachments and the exploitation of unpatched vulnerabilities in public-facing servers (Source: Palo Alto Networks Unit 42, March 2026).

Impact assessment: A strategic intelligence coup

The primary target was a single, unnamed government organization in Southeast Asia. The strategic nature of the targeting suggests the victim is likely involved in defense, foreign policy, or economic planning. The impact of such a breach is severe and multifaceted.

National Security Compromise: The exfiltration of classified documents, diplomatic communications, military plans, or economic strategies provides the attackers' state sponsor with a significant strategic advantage. This intelligence can inform foreign policy decisions, influence negotiations related to territorial disputes like the South China Sea, and expose the victim nation's security weaknesses.

Long-Term Espionage: The TTPs observed indicate the goal was not disruption but long-term intelligence gathering. By maintaining persistent, low-and-slow access, the attackers could monitor internal government communications and policy-making in real time, effectively placing a spy inside the victim's digital infrastructure.

Erosion of Trust: A breach of this magnitude can undermine trust between government agencies and with international allies. If diplomatic cables are compromised, it can damage foreign relations and complicate sensitive negotiations.

How to protect your organization

Defending against a well-resourced, multi-pronged attack requires a defense-in-depth strategy. Organizations, particularly in government and critical infrastructure, should implement the following measures:

Control Removable Media: Enforce strict policies on the use of USB drives and other removable media. Use endpoint security solutions to scan all such devices automatically and consider disabling autorun features entirely.
Network Segmentation: Divide your network into smaller, isolated segments. This contains the spread of malware like HIUPAN and makes it harder for attackers to move laterally from a less-critical system to a high-value server.
Advanced Endpoint Protection: Deploy an Endpoint Detection and Response (EDR) solution. EDR tools can detect malicious behaviors associated with RATs like EggStremeLoader, even if the malware's signature is unknown.
Vulnerability and Patch Management: Aggressively scan for and patch vulnerabilities, especially on internet-facing systems like web servers and VPN concentrators. This closes off common initial access vectors.
Enhance Communications Security: Ensure all sensitive internal and external communications are protected with strong encryption. Mandate the use of secure channels and consider deploying a trusted VPN service for remote access to limit exposure.
User Training and Awareness: Educate employees to recognize spear-phishing attempts and understand the risks associated with using unvetted removable media. A vigilant workforce is a critical line of defense.
Threat Intelligence Integration: Subscribe to and operationalize threat intelligence feeds. Integrating Indicators of Compromise (IOCs) from reports like the one on this campaign into your security tools can enable early detection.

This campaign is a clear signal that state-sponsored espionage remains a persistent threat. The coordination between Velvet Ant, Smoky Lynx, and Gilded Cat highlights an operational maturity that demands an equally sophisticated and layered defensive posture from potential targets.