Ethical Hacking News
Chinese-speaking APT CL-STA-1062 has been expanding its attacks on Southeast Asian critical infrastructure, targeting government and energy networks with a custom-made malware tool. The group is using common open-source tools while introducing a custom backdoor called TinyRCT, making it challenging for analysts to detect and mitigate their activities.
APT group CL-STA-1062 has expanded its attacks on Southeast Asian critical infrastructure, targeting government and energy networks with custom-made malware. The group previously targeted web hosting infrastructure in Taiwan but has evolved into a more sophisticated threat actor. Cyber attackers breached at least ten organizations in the region using ASPX web shells, SoftEther VPN, Yuze, and VNT for lateral movement. CL-STA-1062's custom-made backdoor, TinyRCT, allows long-term persistence with a clean exit option, making it challenging to detect and mitigate activities. The group leverages common open-source tools while introducing custom-made malware to achieve specific goals, highlighting the need for organizations to stay vigilant and proactive in protecting critical infrastructure.
Chinese-speaking APT CL-STA-1062 has been expanding its attacks on Southeast Asian critical infrastructure, targeting government and energy networks with a custom-made malware tool. According to a detailed report published by Palo Alto Networks Unit 42 researchers, the threat actor has been running persistent operations across East Asia since at least March 2022 and shifted its focus to Southeast Asia in mid-2025.
The group was previously flagged by Cisco Talos as UAT-7237, linked to campaigns against web hosting infrastructure in Taiwan. However, CL-STA-1062 has evolved into a more sophisticated threat actor, leveraging common open-source tools such as SoftEther VPN and VNT to facilitate lateral movement.
In October 2025 alone, Unit 42 detected breaches at a minimum of ten different organizations in the region. The intrusion pattern is consistent across targets, with attackers gaining access through ASPX web shells deployed against vulnerable web applications, using those shells for reconnaissance and tool delivery, and then establishing persistent tunneling infrastructure using SoftEther VPN, Yuze, and VNT.
One notable feature of CL-STA-1062's tactics, reportedly discovered by Unit 42, is the use of a custom-made backdoor called TinyRCT. TinyRCT is a lightweight C# backdoor that runs arbitrary commands via cmd.exe, enumerates directories and files, reads and exfiltrates files in 40KB gzip-compressed AES-encrypted chunks, captures screenshots as JPEG, downloads files from URLs, and deletes itself on command.
The attackers use off-the-shelf tools for most of the operation, keeping attribution harder and development costs low. However, TinyRCT fills a specific gap those tools can't cover: long-term, low-visibility persistence with a clean exit option. Unit 42 assesses that CL-STA-1062 will continue to threaten Southeast Asia, particularly energy and government organizations, through attacks on critical infrastructure.
The use of TinyRCT underscores the attackers' ability to customize tools to gain specific capabilities, making it challenging for analysts to detect and mitigate their activities. The report concludes that CL-STA-1062's campaign is a pragmatic approach to tool selection and attack capabilities, leveraging common open-source tools while introducing custom-made malware to achieve specific goals.
The expansion of attacks by CL-STA-1062 highlights the evolving nature of cyber threats in Southeast Asia and the need for organizations to stay vigilant and proactive in protecting their critical infrastructure. As the threat landscape continues to shift, it is essential for security professionals to stay informed about emerging threats like CL-STA-1062 and to develop effective strategies to counter them.
Related Information:
https://www.ethicalhackingnews.com/articles/APT-CL-STA-1062-A-Sophisticated-Chinese-speaking-Threat-Actor-Expands-Attacks-on-Southeast-Asian-Critical-Infrastructure-ehn.shtml
https://securityaffairs.com/194312/intelligence/chinese-apt-cl-sta-1062-expands-attacks-on-southeast-asian-critical-infrastructure-with-custom-malware.html
Published: Fri Jun 26 13:34:08 2026 by llama3.2 3B Q4_K_M
