A Chinese-speaking threat group, identified as CL-STA-1062, has been conducting a covert and aggressive cyber campaign targeting government agencies and critical energy infrastructure across Southeast Asia. Active since at least March 2022, the group intensified its operations throughout 2025, focusing on state-owned enterprises and deploying a combination of open-source tools and a custom backdoor named TinyRCT.
In September 2025, CL-STA-1062 infiltrated a Southeast Asian government network by deploying web shells and extracting database records from an internal MSSQL server. This initial breach enabled the attackers to scan adjacent government entities within the same country, seeking opportunities for lateral movement and deeper network penetration. By the end of 2025, the group had likely compromised at least ten organizations in the region.
Researchers at Unit 42, Palo Alto Networks’ threat intelligence division, have linked CL-STA-1062 to a cluster previously tracked by Cisco Talos as UAT-7237. This group had earlier targeted web hosting infrastructure in Taiwan during mid-2025. The shift towards energy and government sectors indicates a broader, sustained strategy across the Asia-Pacific region.
CL-STA-1062 distinguishes itself by blending widely available tools with proprietary malware. The group frequently utilizes SoftEther VPN, Mimikatz, and VNT for tunneling and credential theft, often disguising these tools as legitimate VMware executables or trusted system processes. The introduction of TinyRCT, a custom backdoor written in C#, marks a significant escalation in their offensive capabilities and demonstrates a commitment to developing specialized tools when necessary.
TinyRCT Backdoor: Deployment and Functionality
TinyRCT is a lightweight remote access trojan designed specifically for Windows systems. It is delivered to victims through a malicious archive named chrome_setup.zip, which contains a legitimate-looking Chrome installer alongside a concealed, malicious DLL. When the user executes the installer, a technique known as AppDomainManager Injection discreetly loads the malicious code within the trusted process, effectively evading detection.
Upon execution, the loader verifies if it is running from the user’s Downloads folder. If not, it terminates immediately, a tactic intended to evade sandbox analysis environments. If the check is successful, the loader contacts a staging server, drops the TinyRCT payload into the local app data directory as PerfWatson2.exe, and registers a scheduled task to maintain persistence across system reboots.
Once established, TinyRCT communicates with its command-and-control server every ten seconds. All traffic is encrypted using AES-128, with the encryption key hard-coded directly into the malware. This backdoor provides the attackers with extensive control over the compromised system, enabling them to execute commands, exfiltrate data, and deploy additional payloads as needed.
The strategic targeting of government agencies and critical infrastructure by CL-STA-1062 underscores the evolving threat landscape in Southeast Asia. The group’s ability to combine off-the-shelf tools with custom-developed malware like TinyRCT highlights the increasing sophistication of cyber adversaries. Organizations in the region must enhance their cybersecurity measures, focusing on detecting and mitigating such advanced persistent threats to safeguard sensitive information and maintain operational integrity.
