The Triple-Headed Dragon: Inside the Three-Cluster Chinese Cyberespionage Campaign Targeting SE Asia

A recent investigation by Unit 42 researchers has exposed a massive, persistent cyberespionage campaign targeting a high-value government organization in Southeast Asia. This isn’t just a single hacker at work; it is a “complex and well-resourced operation” involving three distinct activity clusters, all showing strong ties to China-aligned threat actors.

Between June and August 2025, these clusters operated in parallel, using a diverse arsenal of tools to ensure that if one door was closed, another remained wide open.

The first cluster, attributed with high confidence to the group Stately Taurus, relied on a classic but effective entry method: infected USB drives.

At the heart of this attack is USBFect (also known as HIUPAN), a worm designed to spread through removable media and deploy the PUBLOAD backdoor for lateral movement within the network. Once inside, PUBLOAD uses a fake TLS header to mask its communications while it exfiltrates system data.

“The malware stages these files to execute and propagate its payload via USB devices… [and] sends the information with a fake TLS header (17 03 03) over TCP,” reads the report.

While Stately Taurus was spreading through hardware, CL-STA-1048 was deploying a “wide variety of tools” designed to bypass modern security defenses (XDR). This group used a multi-payload strategy that included:

• EggStremeFuel: A lightweight backdoor used to upload and download files.
• Masol RAT: An HTTP-based Trojan that allows for arbitrary command execution.
• Gorem RAT: A comprehensive remote access tool delivered via the EggStreme Loader.
• TrackBak: A simple but effective infostealer that masquerades as an MS Edge log file to gather keylogs and clipboard data.

Researchers noted that the use of such “diverse and sometimes noisy tooling suggests a determined effort to establish a foothold”.

The final cluster, CL-STA-1049, focused on stealth and persistence. This group utilized a novel tool called the Hypnosis loader to deploy the FluffyGh0st RAT.

Hypnosis uses a clever “DLL side-loading” technique, hijacking a legitimate Bitdefender executable to run its malicious code. To prevent the legitimate app from crashing—which would tip off the user—it proxies the app’s functions and patches the host process to stay in an “infinite Sleep function” while the malware runs in the background. This ensures the main thread does not terminate while the malicious routine executes later.

The convergence of these three clusters—linked to groups like Unfading Sea Haze and campaigns like Crimson Palace—points toward a singular strategic objective. This wasn’t an attack meant to disrupt or destroy; it was a mission to stay hidden for as long as possible.

“Their primary goal was to continuously locate and exfiltrate data, as evidenced by the deployment of infostealers and comprehensive backdoors,”the report concludes. By using multiple overlapping methods, these adversaries ensured that their access to sensitive government secrets remained persistent and robust.