Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

    Friday, March 27, 2026 In: Threat Research Print

    Date: 03/27/2026

    Severity: High

    Summary

    Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor. Two additional clusters, CL-STA-1048 and CL-STA-1049, were identified during the analysis. CL-STA-1048 used tools like EggStremeFuel, Masol RAT, EggStreme Loader (delivering Gorem RAT), and TrackBak stealer, while CL-STA-1049 used Hypnosis loader to deploy FluffyGh0st RAT. Shared tactics with China-aligned campaigns suggest coordinated efforts aimed at persistent access to the same target.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    distrilyy.net

    fikksvex.com

    laichingte.net

    popnike-share.com

    shepinspect.com

    theuklg.com

    webmail.homesmountain.com

    webmail.rpcthai.com

    IP Address :

    103.15.29.17

    103.131.95.107

    103.122.164.106

    109.248.24.177

    120.89.46.135

    Hash :

    05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc

    07bd506d2a8db98c2478ac11bb6c46d84f1aa84f4a9af643804ed857ad7399c3

    11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720

    1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623

    21fe238c462b2f22a7e97f1f06e4f12e8c6e5f3a6fffe671b671909b501fa537

    2616dfadf8aa222303269eb7202c75e2a8fc5b05b6b63ae2cb7576b9a27733f9

    29d4cc64c7c9b7ecd16d96e9c6dcde1fe22a4c2d202074aadf41cbcef494bc19

    34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2

    4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92

    4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c

    58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8

    6745422717f0ccdf2ae3330d133945268d4cd21215adcf982400d82b38ebeeca

    6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9

    6f4f76c7a2638087a0da6002cd2c76d1673305b1e850a1f4068f14755f59d45b

    74e7093615da36b28effb3aa6eef5a31e7ea59627bd619b488f087091e8d65e9

    835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3

    83f06fa37f1136f765f799851812f11060ab34df3b34bc61777acc59a30b4c6e

    84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9

    851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f

    c47d55ad95a6c6ffac45c2b205e03bddadf5e36f55988599053b1fd0e49448a5

    d4d753c6ea5c86a44c9a65cd0d4eaeabb072b19e0ef68ef7da3a879f689772c9

    e1672dab0daf1c84f14f7bb827851c27753da067490e10cd6144fe7873892fec

    e61a1f4269e934481f6cb19576b3dbc434952b01445fd4e1ebc6906a1b449ef8

    e9b52577091c8e25e91c485216de34d5a26ab707a10b1e5cd31ed7aa055939d3

    f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65

    f62223c9750fb2edfd979a8cae204cb9ce5e0950b52a47b62f195cd05dd3e2fb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "laichingte.net" or url like "laichingte.net" or siteurl like "laichingte.net" or domainname like "webmail.homesmountain.com" or url like "webmail.homesmountain.com" or siteurl like "webmail.homesmountain.com" or domainname like "shepinspect.com" or url like "shepinspect.com" or siteurl like "shepinspect.com" or domainname like "fikksvex.com" or url like "fikksvex.com" or siteurl like "fikksvex.com" or domainname like "distrilyy.net" or url like "distrilyy.net" or siteurl like "distrilyy.net" or domainname like "webmail.rpcthai.com" or url like "webmail.rpcthai.com" or siteurl like "webmail.rpcthai.com" or domainname like "theuklg.com" or url like "theuklg.com" or siteurl like "theuklg.com" or domainname like "popnike-share.com" or url like "popnike-share.com" or siteurl like "popnike-share.com"

    Detection Query 2 :

    dstipaddress IN ("120.89.46.135","103.15.29.17","103.131.95.107","109.248.24.177","103.122.164.106") or srcipaddress IN ("120.89.46.135","103.15.29.17","103.131.95.107","109.248.24.177","103.122.164.106")

    Detection Query 3 :

    sha256hash IN ("4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92","74e7093615da36b28effb3aa6eef5a31e7ea59627bd619b488f087091e8d65e9","84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9","58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8","f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65","83f06fa37f1136f765f799851812f11060ab34df3b34bc61777acc59a30b4c6e","c47d55ad95a6c6ffac45c2b205e03bddadf5e36f55988599053b1fd0e49448a5","e61a1f4269e934481f6cb19576b3dbc434952b01445fd4e1ebc6906a1b449ef8","d4d753c6ea5c86a44c9a65cd0d4eaeabb072b19e0ef68ef7da3a879f689772c9","f62223c9750fb2edfd979a8cae204cb9ce5e0950b52a47b62f195cd05dd3e2fb","11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720","05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc","07bd506d2a8db98c2478ac11bb6c46d84f1aa84f4a9af643804ed857ad7399c3","1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623","21fe238c462b2f22a7e97f1f06e4f12e8c6e5f3a6fffe671b671909b501fa537","2616dfadf8aa222303269eb7202c75e2a8fc5b05b6b63ae2cb7576b9a27733f9","29d4cc64c7c9b7ecd16d96e9c6dcde1fe22a4c2d202074aadf41cbcef494bc19","34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2","4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c","6745422717f0ccdf2ae3330d133945268d4cd21215adcf982400d82b38ebeeca","6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9","6f4f76c7a2638087a0da6002cd2c76d1673305b1e850a1f4068f14755f59d45b","835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3","851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f","e1672dab0daf1c84f14f7bb827851c27753da067490e10cd6144fe7873892fec","e9b52577091c8e25e91c485216de34d5a26ab707a10b1e5cd31ed7aa055939d3")

    Reference:     

    https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html 


    Tags

    MalwareBackdoorPUBLOADSouth AsiaCyber EspionageRATStealerChinaGovernment Services and Facilities

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.