Back to Intelligence

How to Defend Against HIUPAN and Gorem RAT: Mitigating the 2025 China-Linked Cyber Campaign

SA
Security Arsenal Team
March 31, 2026
6 min read

Recent intelligence reports have uncovered a sophisticated cyber campaign orchestrated by three China-linked threat clusters targeting a government organization in Southeast Asia. Described as a "complex and well-resourced operation," this campaign highlights the evolving tactics of nation-state actors utilizing a diverse malware arsenal, including HIUPAN (USBFect), PUBLOAD, EggStremeFuel (RawCookie), EggStremeLoader (Gorem RAT), and MASOL.

For security operations centers (SOCs) and IT defenders, this campaign serves as a critical reminder of the risks associated with supply chain attacks, lateral movement via removable media, and credential theft. This post analyzes the technical components of this threat and provides actionable detection rules and remediation strategies to harden your defenses.

Technical Analysis

The 2025 campaign is notable for its use of multiple malware families working in concert to compromise and maintain access to target networks:

  • HIUPAN (USBFect / MISTCLOAK): A particularly insidious worm designed to propagate via removable USB drives. By infecting USB storage, HIUPAN can bypass network perimeter defenses and air-gapped environments, making it a potent tool for initial access and lateral movement within highly segmented government networks.
  • PUBLOAD: A loader malware used to deploy additional payloads. Its primary function is to establish a foothold and facilitate the execution of further malicious modules.
  • EggStremeLoader (Gorem RAT): A Remote Access Trojan (RAT) that provides attackers with comprehensive control over infected hosts. Gorem RAT allows for command execution, file manipulation, and surveillance, effectively giving the operator hands-on-keyboard capabilities.
  • EggStremeFuel (RawCookie): An information stealer specifically targeting browser cookies. By stealing session cookies, attackers can bypass multi-factor authentication (MFA) and gain unauthorized access to web applications and services without needing credentials.
  • MASOL: Another payload component used to maintain persistence or perform specific espionage-related tasks.

The severity of this campaign lies in its combination of physical propagation vectors (USB) and high-impact digital espionage tools (RATs and stealers). Defenders must assume that traditional perimeter defenses may be bypassed via USB and must focus on endpoint detection and credential hygiene.

Defensive Monitoring

To detect the activities associated with these threat clusters, security teams should implement the following detection rules. We have provided SIGMA rules for broad compatibility, KQL for Microsoft Sentinel/Defender, and Velociraptor VQL for endpoint hunting.

SIGMA Rules

YAML
---
title: Suspicious DLL Loading via Rundll32
id: e7f1b9d2-3c4a-4f5b-9e8d-1a2b3c4d5e6f
status: experimental
description: Detects rundll32.exe executing a DLL export, a technique commonly used by loaders like EggStremeLoader (Gorem RAT) and PUBLOAD to execute malicious code.
references:
  - https://thehackernews.com/2026/03/three-china-linked-clusters-target.html
author: Security Arsenal
date: 2026/03/15
tags:
  - attack.defense_evasion
  - attack.t1218.011
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\rundll32.exe'
    CommandLine|contains:
      - '.dll,'
      - '.dll #'
      - '.dll ,#'
  filter_main:
    CommandLine|contains:
      - 'DllRegisterServer'
      - 'DllUnregisterServer'
      - 'Windows\System32\'
  condition: selection and not filter_main
falsepositives:
  - Legitimate software installations
  - System updates
level: medium
---
title: Browser Cookie File Access by Non-Browser Process
id: b8f2e4a1-5d6c-4e9f-a8b3-2c4d6e8f0a1b
status: experimental
description: Detects non-browser processes accessing browser cookie databases, indicative of info-stealers like EggStremeFuel (RawCookie) attempting to harvest session tokens.
references:
  - https://thehackernews.com/2026/03/three-china-linked-clusters-target.html
author: Security Arsenal
date: 2026/03/15
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Microsoft\Edge\User Data\Default\Cookies'
      - '\Mozilla\Firefox\Profiles\'
  filter_main:
    Image|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\opera.exe'
  condition: selection and not filter_main
falsepositives:
  - Backup software accessing profiles
  - Antivirus scans
level: high

KQL Queries (Microsoft Sentinel/Defender)

To hunt for Gorem RAT and cookie stealing activity in Microsoft Sentinel or Defender for Identity:

KQL — Microsoft Sentinel / Defender
// Detect suspicious rundll32 execution patterns (Loader detection)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has ".dll" and (ProcessCommandLine has ",#" or ProcessCommandLine has ", #")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend IOCPayload = ProcessCommandLine
| order by Timestamp desc


// Detect non-browser processes accessing Chrome Cookies (InfoStealer detection)
DeviceFileEvents
| where Timestamp > ago(24h)
| where TargetFileName has @"\Google\Chrome\User Data\Default\Cookies"
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "firefox.exe", "opera.exe", "backup.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, TargetFileName, ActionType
| order by Timestamp desc

Velociraptor VQL

Hunt for the presence of the HIUPAN USB worm or suspicious loader activity on endpoints:

VQL — Velociraptor
-- Hunt for suspicious LNK files often dropped by USB worms like HIUPAN
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="C:\Users\*\*.lnk")
WHERE Mtime < now() - -24h
  -- HIUPAN often creates LNK files with specific modified timestamps or in unusual locations
  AND Name =~ @"^[0-9]{1,3}.lnk" OR Name =~ @"^[a-zA-Z]{3}.lnk"

-- Hunt for Gorem RAT/PUBLOAD persistence via Rundll32
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "rundll32"
  AND CommandLine =~ @",#[0-9]"
  AND Exe NOT =~ @"C:\Windows\System32\"

PowerShell Remediation Script

Run this script on critical workstations to audit for recent suspicious LNK file creation activity associated with USB worms:

PowerShell
# Audit for recently created LNK files in user profiles (Potential HIUPAN activity)
$DateThreshold = (Get-Date).AddDays(-7)
$UserProfiles = Get-ChildItem "C:\Users" -Directory

foreach ($Profile in $UserProfiles) {
    $Path = $Profile.FullName
    Write-Host "Scanning $Path for recent LNK files..."

    Get-ChildItem -Path $Path -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt $DateThreshold } | 
    Select-Object FullName, LastWriteTime, Length | 
    Export-Csv -Path "C:\Temp\RecentLNK_Audit.csv" -NoTypeInformation -Append
}

Write-Host "Audit complete. Results saved to C:\Temp\RecentLNK_Audit.csv"

Remediation

To protect your organization from the HIUPAN, Gorem RAT, and associated malware families, implement the following defensive measures:

  1. Restrict USB Usage: The primary vector for HIUPAN is removable media. Enforce a policy restricting the use of unauthorized USB devices. Consider using application control (e.g., AppLocker) to block execution of binaries from removable drives, or disable USB mass storage entirely on sensitive endpoints via Group Policy.

  2. Application Allowlisting: Implement strict allowlisting policies (e.g., Windows Defender Application Control) to prevent unauthorized executables, loaders, and scripts from running. Gorem RAT and PUBLOAD often rely on running suspicious binaries from non-standard paths.

  3. Browser Hardening: To mitigate EggStremeFuel (RawCookie), enforce enterprise browser security policies. Disable saving passwords and cookies on endpoints, or use secure enterprise browsers that isolate session data. Encourage the use of hardware-bound MFA (e.g., FIDO2) which is harder to bypass using stolen cookies.

  4. Network Segmentation: Limit lateral movement by segmenting networks. Ensure that workstations in high-security zones cannot communicate freely with general-purpose zones or the internet without strict inspection.

  5. Patch Management: While this campaign relies heavily on social engineering and USB propagation, ensuring all systems are fully patched prevents the actors from exploiting vulnerabilities for privilege escalation or initial access.

  6. User Awareness: Train employees to recognize phishing attempts and the dangers of inserting unknown USB drives found in parking lots or received via mail.

By implementing these detection rules and remediation steps, security teams can significantly reduce the risk of compromise from these advanced persistent threats.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socaptmalwarethreat-huntingwindowsusb-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action