Unmasking CL-STA-1062: The Stealthy Threat Targeting Southeast Asian Infrastructure

During 2025, a Chinese-speaking threat actor, tracked as CL-STA-1062, significantly escalated its regional operations. Targeting government entities and critical energy infrastructure across Southeast Asia, the group has transitioned from opportunistic intrusions to sophisticated, targeted campaigns involving the deployment of a custom .NET backdoor known as TinyRCT.

The group’s methodology is a hybrid of “living off the land” and bespoke malware development. Operators utilize legitimate open-source tools like SoftEther VPN for network tunneling, alongside VNT and yuze for covert command-and-control (C2) communications. To facilitate credential theft, they frequently deploy Mimikatz, often disguising the binaries as legitimate system files to evade casual observation.

Initial access is typically secured via ASPX web shells deployed through vulnerable web applications. Once a foothold is established, the actors move through a disciplined lifecycle: conducting internal reconnaissance, attempting lateral movement, and staging sensitive data—often compressed into password-protected RAR archives—for exfiltration.

The TinyRCT Backdoor: Defensive Evasion and Execution

TinyRCT, identified on attacker infrastructure as PerfWatson2.exe, represents a material leap in the actor’s technical capabilities. This lightweight C# Remote Access Trojan (RAT) employs strict environmental keying to thwart automated analysis. The backdoor will abort execution unless it is running from the %LOCALAPPDATA% directory, while its associated loader validates that it is being executed from the user’s Downloads folder. These checks are specifically designed to frustrate sandbox environments and manual malware analysis.

Upon successful execution, TinyRCT fingerprints the host by collecting critical telemetry, including the username, machine name, OS version, local IP addresses, execution path, Process ID (PID), and a unique GUID. This profile is encrypted and used to register with a C2 server, establishing a persistent communication channel via AES-128-CBC encrypted HTTP requests to the IP 45.32.113[.]172.

According to a report by Unit 42, telemetry suggests this cluster has been active since March 2022. The activity aligns with the actor previously labeled as UAT-7237 by Cisco Talos, indicating a long-term strategic focus on the region.

Technical Breakdown of the Infection Chain

The infection vector utilizes a highly plausible social engineering dropper. The chain typically begins with a chrome_setup.zip archive containing a signed chrome_setup.exe, a malicious chrome_setup.exe.config file, and a MyAppDomainManager.dll loader. This loader leverages .NET AppDomainManager injection, allowing the actor to run malicious code within the context of a trusted process.

The loader fetches the primary payload, PerfWatson2.exe, from staging infrastructure (139.180.134[.]221), writes it to %LOCALAPPDATA%, and ensures persistence by creating a high-privilege scheduled task, often masquerading as GoogleUpdaterTaskSystem....

The RAT’s command set is compact but lethal, supporting arbitrary shell execution, directory enumeration, file exfiltration (in 40 KB AES-encrypted chunks), screen captures, and configuration updates. In 2025, this toolset was used to successfully exfiltrate government databases and maintain long-term access to state-owned energy organizations.

Defensive Strategies and Mitigation

Detecting CL-STA-1062 requires a layered, behavioral-centric approach. Organizations should prioritize the following:

• Web Application Security: Implement rigorous patching and WAF rules to block the initial deployment of ASPX web shells.
• Endpoint Detection and Response (EDR): Monitor for unusual process execution patterns, specifically .NET applications running from non-standard directories or the abuse of AppDomainManager injection.
• Network Telemetry: Watch for persistent, encrypted HTTP POST requests to unknown IPs and unusual outbound traffic patterns that may indicate C2 beaconing or data staging.
• Persistence Hunting: Audit scheduled tasks for suspicious names (e.g., masquerading as Google or Windows updates) and monitor for new tasks created by non-admin users.

Indicators of Compromise (IoCs)