A threat actor known as CL-STA-1062, communicating in Chinese, has been targeting government bodies and crucial energy sectors throughout Southeast Asia. This campaign, which began in earnest in March 2022, escalated in 2025 with the deployment of a new backdoor named TinyRCT, blending open-source tools with custom malware.
Campaign Escalation in 2025
The cyber offensive intensified in September 2025 when the group infiltrated a Southeast Asian governmental network. Utilizing web shells, they extracted database records from an internal MSSQL server. From this initial breach, the attackers scanned adjacent government systems to identify lateral movement possibilities, thereby solidifying their presence.
By late 2025, the group had likely compromised at least ten organizations across the region. Researchers from Palo Alto Networks’ Unit 42 identified CL-STA-1062 as an entity previously monitored by Cisco Talos under a different name, UAT-7237. The group’s focus has shifted towards the energy and governmental sectors, hinting at a broader, ongoing strategy in the Asia-Pacific.
Advanced Techniques and Tools
CL-STA-1062 distinguishes itself by integrating freely available utilities with proprietary malware. They frequently employ tools like SoftEther VPN, Mimikatz, and VNT, disguising them as legitimate executables or system processes. The introduction of TinyRCT, a novel backdoor written in C#, signifies an escalation in their technological capabilities.
TinyRCT targets Windows systems, arriving via a seemingly legitimate Chrome installer. This installer, once executed, uses AppDomainManager Injection to stealthily load malicious code. The backdoor persists by checking its execution environment and establishing communication with a command-and-control server every ten seconds.
Implications for Critical Infrastructure
The focus on energy infrastructure underscores the campaign’s severity. The attackers have compromised two state-owned energy companies, exploiting vulnerabilities and deploying malicious software. Tactics include bundling tools in password-protected archives to evade detection.
In their operations, the attackers use traceroute for lateral movement mapping and JuicyPotato for privilege escalation. Evidence, including Simplified Chinese comments within the TinyRCT code, suggests involvement of Chinese-speaking actors.
Security teams in the region, particularly in the energy and government sectors, need to scrutinize binaries running from local directories and monitor for unusual scheduled tasks. Analyzing outbound traffic for regular beaconing and enforcing execution policies are critical defensive measures against such persistent threats.
As cyber threats evolve, continuous vigilance and robust security practices are essential to mitigate risks and protect critical infrastructures from sophisticated adversaries like CL-STA-1062.
