Espionage Campaigns Deploy Multiple RATs and USB‑Propagated Malware Against a Southeast Asian Government Agency
What Happened — Unit 42 uncovered three concurrent cyber‑espionage clusters targeting a Southeast Asian government entity. The groups used a mix of USB‑borne malware (USBFect/PUBLOAD), custom loaders (EggStreme, Hypnosis), and several Remote Access Trojans (Masol, Gorem, FluffyGh0st) to establish persistent footholds and exfiltrate data.
Why It Matters for TPRM —
- Persistent access tools can be leveraged against third‑party vendors that support the agency, expanding the attack surface.
- Overlap with China‑aligned TTPs suggests state‑backed motives, raising geopolitical risk for supply‑chain partners.
- USB‑borne vectors bypass network defenses, highlighting the need for endpoint hygiene across all contractors.
Who Is Affected — Government ministries, public‑sector contractors, and any third‑party service providers with network connectivity to the targeted agency.
Recommended Actions —
- Verify that all vendors enforce strict USB device controls and endpoint detection.
- Review threat‑intel feeds for the listed RATs and loaders; update detection signatures.
- Conduct a supply‑chain risk assessment focusing on any entities with access to the agency’s network.
Technical Notes — The campaign employed:
- USBFect (HIUPAN) delivering the PUBLOAD backdoor via infected removable media.
- EggStremeFuel backdoor and EggStreme loader to install the Gorem RAT with keylogging.
- Custom “Hypnosis” loader delivering FluffyGh0st RAT.
- TrackBak stealer for credential and file theft.