logo

Chinese APT CL-STA-1062 Expands Attacks on Southeast Asian Critical Infrastructure With Custom Malware

ID: 3dac2fde-d7b4-503c-89c6-4e101ea539e0

STIX ID: report--3dac2fde-d7b4-503c-89c6-4e101ea539e0

Feed Name: Security Affairs

Threat Score
92/100

Date Published: 2026-06-26

Date Updated: 2026-06-27

Author: Pierluigi Paganini

...
...

Palo Alto Networks Unit 42 attributes a sustained campaign in East and Southeast Asia to a Chinese-speaking APT labeled CL-STA-1062, which has shifted focus to government and state-owned energy targets; the group uses ASPX web shells, open-source tools (SoftEther VPN, VNT, Mimikatz, JuicyPotato) and a new C# backdoor called TinyRCT (hardcoded C2, AES-128-CBC, self-destruct, scheduled task persistence) to perform reconnaissance, privilege escalation, data exfiltration (password-protected RARs, SQL data, web source), and long-term low-visibility access across at least ten breaches observed in late 2025.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.