CL-STA-1048

CL-STA-1048 is a China-linked threat activity cluster observed targeting a Southeast Asian government organization from March to September 2025 as part of a broader cyberespionage campaign. Unit 42 reported that the cluster overlaps with publicly documented activity tracked as Earth Estries, also known as Salt Typhoon, and Crimson Palace. The cluster was assessed to be part of an operation focused on gaining long-term persistent access to sensitive government networks and exfiltrating data. Observed CL-STA-1048 tooling included EggStremeFuel, EggStreme Loader (also called Gorem RAT), Masol RAT, TrackBak, and RawCookie. EggStremeFuel/RawCookie was described as a lightweight backdoor using RC4-encrypted command-and-control configuration and supporting file upload and download, directory enumeration, reverse shell control, IP reporting, and C2 configuration updates. EggStreme Loader was used as part of the EggStreme framework to launch Gorem RAT in memory; reported capabilities included extensive backdoor functionality, with one variant supporting file transfer over Dropbox. Masol RAT provided backdoor access, arbitrary command execution, file upload and download, keylogging, configuration updates, and in-memory payload execution. TrackBak was used to steal keystrokes, clipboard data, network information, logs, and files from drives. The cluster employed a multi-payload strategy and stealthy DLL sideloading techniques to maintain access and evade detection. Researchers noted that the use of diverse and sometimes noisy tooling suggested a determined effort to establish a foothold. The exact initial access vector for CL-STA-1048 was not identified in the reporting.