2

Unit 42 uncovered cyberespionage campaigns (June–Aug 2025) targeting a Southeast Asian government organization that used USB-propagated malware (USBFect/HIUPAN) and an espionage toolkit including multiple backdoors and loaders (EggStremeFuel, Masol RAT, EggStreme Loader delivering Gorem RAT, TrackBak stealer, and a Hypnosis loader deploying FluffyGh0st RAT). The investigation identified two activity clusters (CL-STA-1048 and CL-STA-1049) with overlapping TTPs and ties to publicly reported China-aligned campaigns, indicating efforts to establish persistent access and credential/data theft.