Chinese APT CL-STA-1062 Expands Attacks on Southeast Asian Critical Infrastructure With Custom Malware
ID: 3dac2fde-d7b4-503c-89c6-4e101ea539e0
STIX ID: report--3dac2fde-d7b4-503c-89c6-4e101ea539e0
Feed Name: Security Affairs
Palo Alto Networks Unit 42 attributes a sustained campaign in East and Southeast Asia to a Chinese-speaking APT labeled CL-STA-1062, which has shifted focus to government and state-owned energy targets; the group uses ASPX web shells, open-source tools (SoftEther VPN, VNT, Mimikatz, JuicyPotato) and a new C# backdoor called TinyRCT (hardcoded C2, AES-128-CBC, self-destruct, scheduled task persistence) to perform reconnaissance, privilege escalation, data exfiltration (password-protected RARs, SQL data, web source), and long-term low-visibility access across at least ten breaches observed in late 2025.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
