Espionage Attacks - Hackers Use USB Malware and RATs

The Threat

A highly coordinated cyberespionage campaign has been uncovered, targeting a government organization in Southeast Asia. This operation, active between June and August 2025, involved multiple threat actors deploying a mix of USB-propagated malware, remote access trojans (RATs), and data stealers. The attackers aimed to secure long-term access to sensitive systems, indicating a serious threat to national security.

The campaign featured three distinct clusters of activity, all operating simultaneously within the same victim's network. Each cluster utilized different tools but shared the common goal of persistent access to high-value government targets. Notably, these clusters were strongly linked to China-aligned threat groups, highlighting the geopolitical implications of the attack.

Who's Behind It

The first cluster, attributed to Stately Taurus, employed a USB worm known as USBFect to disseminate the PUBLOAD backdoor across government endpoints. The second cluster, identified as CL-STA-1048, utilized a broader espionage toolkit, including the EggStremeFuel backdoor and the Masol RAT. The third, CL-STA-1049, took a stealthier approach with a newly identified loader called Hypnosis, deploying the FluffyGh0st RAT.

These coordinated efforts suggest that multiple threat actors may be sharing targets and infrastructure to achieve their objectives. The convergence of these groups against a single target underscores the well-resourced nature of this operation, raising alarms about the potential for extensive data theft and intelligence gathering.

Tactics & Techniques

The attackers employed sophisticated methods to maintain access and gather intelligence. They integrated keyloggers, clipboard stealers, and other data collection tools to monitor government activities without detection. For instance, TrackBak, a data theft tool, masqueraded as a Microsoft Edge log file while silently collecting sensitive information, including keystrokes and network data.

The use of USBFect as a primary infection vector is particularly concerning. This USB worm automatically spreads across connected systems, making it difficult for defenders to detect. It disguises its files under familiar Windows paths, complicating the identification of malicious activity. This stealthy approach allows attackers to maintain a long-term presence within the network, enabling continuous monitoring and data collection.

Defensive Measures

Organizations handling sensitive government data must take immediate action to mitigate these threats. Key recommendations include:

• Disable AutoRun for removable storage devices to prevent automatic execution of malware.
• Enforce strict USB access policies to limit exposure to potential infections.
• Monitor for unusual DLL loading in directories that mimic legitimate system paths, as this could indicate malicious activity.

Additionally, applying behavioral detection techniques can help flag in-memory shellcode execution. Keeping endpoint telemetry updated is crucial for catching these threats before they deliver their payloads. By staying vigilant and implementing robust security measures, organizations can protect themselves against such sophisticated cyberespionage campaigns.