Full Report
A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks
Analysis Summary
# Threat Actor: CL-STA-1062
## Attribution & Identity
- **Actor Name:** CL-STA-1062
- **Identification:** Chinese-speaking Advanced Persistent Threat (APT) actor.
- **Known Aliases/Associations:** Shared overlaps with **UAT-7237** (previously identified by Cisco Talos in August 2025).
- **Origin:** Attributed to Chinese-speaking origins based on technical analysis by Palo Alto Networks Unit 42.
## Activity Summary
- **Sustained Operations:** Active since at least March 2022, targeting strategic sectors in East Asia.
- **2025 Campaigns:** Significant activity observed between mid-2025 and December 2025.
- **Specific Incident:** September 2025 breach of a Southeast Asian government entity involving data exfiltration from an MS SQL server and network reconnaissance for lateral movement.
- **Scope:** At least 10 different organizations in Southeast Asia were breached between October and December 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Scanning for vulnerabilities in web infrastructure; deployment of ASPX web shells.
- **Persistence & Execution:** Use of AppDomainManager injection to load malicious DLLs.
- **Evasion:**
- Disguising malicious files as legitimate software (e.g., VMware executables like `vmtools.exe` or XDR agents like `XDRAgent.exe`).
- Anti-sandboxing checks built into custom malware.
- Self-deletion capabilities to "wipe traces" of activity.
- **Lateral Movement:** Heavy reliance on open-source VPN and proxy tools to expand access within a compromised network.
- **Exfiltration:** Use of RAR archives to stage and exfiltrate data, including entire directories of web server source code.
- **MITRE ATT&CK IDs Mentioned:**
- **T1574.014**: Hijack Execution Flow: AppDomainManager Injection.
## Targeting
- **Sectors:** Critical Infrastructure, Government Entities, State-Owned Enterprises (SOE), Energy Sector, and Web Infrastructure.
- **Geography:** Primarily Southeast Asia, with historical activity in East Asia (including Taiwan).
- **Victims:** Southeast Asian government ministries, MS SQL servers, and strategic regional state-owned enterprises.
## Tools & Infrastructure
- **Custom Malware:**
- **TinyRCT:** A bespoke .NET backdoor/RAT ("PerfWatson2.exe") capable of command execution, file exfiltration, screen capture, and remote control.
- **MyAppDomainManager.dll:** Rogue DLL used for injection.
- **Open-Source/Utility Tools:**
- **SoftEther VPN**
- **Mimikatz** (Credential harvesting)
- **VNT** (Virtual Network Tool)
- **Yuze** (SOCKS5 proxy)
- **Infrastructure:**
- C2 Communication via HTTP with AES-128 encryption (CBC mode).
- **IP Addresses (Defanged):**
- 45.32.113[.]172 (TinyRCT C2)
- 139.180.134[.]221 (Payload delivery for TinyRCT)
## Implications
CL-STA-1062 represents a highly disciplined and pragmatic threat. Their ability to blend common open-source tools with custom-developed, lightweight backdoors like TinyRCT makes attribution difficult while maintaining high operational efficiency. Their focus on the energy and government sectors suggests a strategic mandate centered on long-term espionage and potentially pre-positioning for disruptive capabilities within critical infrastructure.
## Mitigations
- **Monitor for AppDomainManager Injection:** Implement monitoring for suspicious `.config` files and unauthorized DLL loads by legitimate .NET executables.
- **Network Segmentation:** Restrict outbound traffic from web servers to prevent web shells from communicating with external C2 infrastructure.
- **Baseline Binaries:** Alert on non-standard versions of legitimate-looking files such as `vmtools.exe` or `chrome_setup.exe` appearing in unusual directories.
- **Vulnerability Management:** Prioritize patching of public-facing web infrastructure to prevent initial ASPX web shell deployment.
- **Endpoint Detection:** Deploy EDR rules to detect the execution of known open-source tools like SoftEther or VNT when not authorized for administrative use.