Chinese-Speaking CL-STA-1062 Used TinyRCT to Breach Southeast Asian Governments
Palo Alto Networks Unit 42 reported that the Chinese-speaking intrusion cluster CL-STA-1062, assessed with high confidence to overlap with Cisco Talos' UAT-7237, conducted sustained operations across East and Southeast Asia from at least 2022 through 2025. In 2025, the group targeted Southeast Asian government entities and state-owned critical energy infrastructure, using web application exploitation, ASPX web shells, reconnaissance, lateral movement, and data exfiltration to maintain access and steal information.
Investigators said the actors combined open-source tooling including SoftEther VPN, VNT, yuze, Mimikatz, and JuicyPotato with a newly documented custom .NET backdoor, TinyRCT. The malware supports command execution, file listing and exfiltration, screenshot capture, encrypted HTTP-based command-and-control, and a self-destruct feature intended to erase forensic evidence. Unit 42 also reconstructed an infection chain in which a malicious chrome_setup.zip archive used AppDomainManager Injection to load a malicious DLL, download PerfWatson2.exe from attacker infrastructure, and establish persistence through a scheduled task.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Unit 42 reports 10 CL-STA-1062 breaches in Southeast Asia
Unit 42 said it observed at least 10 organizational breaches in Southeast Asia between October and December 2025 linked to CL-STA-1062. The reporting also described a September 2025 intrusion in which the attackers used a web shell to exfiltrate data from an MS SQL server and stole a directory of web server source code.
CL-STA-1062 targets Southeast Asian governments and energy infrastructure
In 2025, CL-STA-1062 targeted Southeast Asian government entities and state-owned critical energy infrastructure. The operations involved web application exploitation, ASPX web shells, reconnaissance, lateral movement, and data exfiltration.
CL-STA-1062 begins sustained operations in East and Southeast Asia
Unit 42 reported that the Chinese-speaking activity cluster CL-STA-1062 conducted sustained operations across East and Southeast Asia from at least 2022 through 2025. The group is assessed with high confidence to be the same as Cisco Talos' UAT-7237.
Unit 42 reconstructs TinyRCT infection chain
Unit 42 reported an infection chain in which a malicious chrome_setup.zip archive used AppDomainManager Injection to load a malicious DLL, download PerfWatson2.exe from attacker infrastructure, and establish persistence via a scheduled task. The report also noted the actors' use of a hybrid toolkit including SoftEther VPN, VNT, yuze, Mimikatz, and JuicyPotato.
Unit 42 documents TinyRCT backdoor used by CL-STA-1062
Unit 42 disclosed that the threat cluster used a newly documented custom .NET backdoor called TinyRCT. The malware supports command execution, file listing and exfiltration, screenshot capture, encrypted HTTP-based command-and-control, and a self-destruct routine to remove forensic evidence.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Chinese APT CL-STA-1062 targets Southeast Asia with new TinyRCT backdoor | brief | SC Media
scworld.com
Open sourceChinese APT CL-STA-1062 Expands Attacks on Southeast Asian Critical Infrastructure With Custom Malware
securityaffairs.com
Open sourceChinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign
thehackernews.com
Open sourceCL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments
cybersecuritynews.com
Open sourceCL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure | Community Portal | Gurucul
community.gurucul.com
Open sourceCL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure
unit42.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
Mar 21, 2026
China-Linked CL-STA-1087 Spied on Southeast Asian Militaries With AppleChris and MemFun
Palo Alto Networks Unit 42 disclosed a long-running cyberespionage campaign, tracked as **CL-STA-1087**, that has targeted military organizations across Southeast Asia since at least 2020. The intrusions were aimed at collecting highly specific intelligence on military capabilities, organizational structures, **C4I** environments, joint military efforts, official meeting records, and cooperation with Western armed forces, rather than conducting broad data theft. Researchers said the activity was first uncovered after suspicious PowerShell behavior on an unmanaged endpoint exposed an already-established foothold, with the attackers using delayed execution, dormant periods lasting months, and reverse shells to preserve stealth and support long-term access. The operation used custom malware including the **AppleChris** backdoor, the in-memory **MemFun** backdoor, and **Getpass**, a modified Mimikatz-based credential theft tool. Investigators reported tradecraft including DLL hijacking, process hollowing, reflective DLL loading, timestomping, malicious Windows service creation, and lateral movement with WMI and native .NET tooling across domain controllers, web servers, IT workstations, and executive systems. Command-and-control traffic was hidden through dead-drop resolvers on legitimate services such as **Pastebin** and **Dropbox**, while infrastructure patterns, UTC+8 working hours, China-based cloud hosting, and Simplified Chinese artifacts led researchers to assess the campaign with moderate confidence as China-linked state-backed espionage.
Jun 8, 2026
China-Linked UAT-7290 Breaches Telecom Networks Using Linux Malware and ORB Nodes
Cisco Talos disclosed that **UAT-7290**, a threat actor active since at least 2022 and assessed with high confidence as part of the **China-nexus APT ecosystem**, has conducted sustained intrusions against high-value **telecommunications and critical infrastructure** organizations in **South Asia**, with more recent activity extending into **Southeastern Europe**. The group reportedly performs extensive pre-attack reconnaissance, then compromises public-facing edge devices through **one-day exploits**, proof-of-concept exploit adaptation, and **target-specific SSH brute force**, seeking deep and persistent access inside strategically important telecom environments. Researchers said the actor relies heavily on a **Linux-focused malware** toolkit that includes **RushDrop**, **DriveSwitch**, **SilentRaid**, and **Bulbature**, alongside overlaps with **RedLeaves** and **ShadowPad** and activity previously associated with **Red Foxtrot/APT10**. Talos assessed that UAT-7290 appears to serve a dual role: carrying out espionage while also acting as an **initial access provider** that converts compromised devices into **Operational Relay Box (ORB)** nodes for possible use by other China-linked operators. SilentRaid supports modular capabilities such as remote shell access, file management, and port forwarding, while Bulbature was tied to ORB infrastructure through a self-signed certificate observed on at least **141 hosts** in **China or Hong Kong**, reinforcing the attribution assessment.
Mar 26, 2026