logo

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

ID: 2190482e-8d79-54d5-bc13-41e765d8bd35

STIX ID: report--2190482e-8d79-54d5-bc13-41e765d8bd35

Feed Name: Palo Alto Networks Unit 42

Threat Score
90/100

Date Published: 2026-06-25

Date Updated: 2026-06-26

Author: Unit 42

...
...

Palo Alto Networks Unit 42 reports on CL-STA-1062 (aka UAT-7237), a Chinese-speaking activity cluster that has targeted government entities and state-owned energy infrastructure across East and Southeast Asia since 2022; the actors use web shells, common open-source tools (SoftEther VPN, Mimikatz, VNT) and a newly documented .NET backdoor named TinyRCT (capable of command execution, file exfiltration, screen capture, and self-destruct). The report includes technical analysis of the TinyRCT loader and C2 behavior, infection chain via a malicious chrome_setup.zip performing AppDomainManager injection, multiple IoCs (file hashes, IPs, and URLs), observed compromises of at least ten organizations, and recommended Cortex XDR/XSIAM mitigations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.