🇨🇳 CN3 malware families

CL-STA-1062

Also known ascl_sta_1062

CL-STA-1062 is a Chinese-speaking threat actor active since at least March 2022, conducting persistent operations across East Asia and, from mid-2025 onward, focusing on Southeast Asian government entities and state-owned critical energy infrastructure. Palo Alto Networks Unit 42 assessed with high confidence that CL-STA-1062 overlaps with Cisco Talos-tracked UAT-7237, which was previously linked to campaigns against web hosting infrastructure in Taiwan. Reported targeting includes government agencies, state-owned enterprises in the energy sector, and other critical infrastructure organizations in Southeast Asia, with the activity described as espionage. The actor uses a hybrid toolkit combining open-source and publicly available tools with custom malware. Observed tools include ASPX web shells for exploiting vulnerable web applications and establishing initial access, SoftEther VPN, VNT, Yuze, Mimikatz, and JuicyPotato. The group has disguised tooling as legitimate processes or software, including VMware executables and XDR agents, and has used password-protected RAR archives to stage tools and stolen data. Observed post-compromise activity includes reconnaissance, traceroute-based mapping for lateral movement opportunities, privilege escalation, persistent tunneling, MSSQL data theft, exfiltration of web server source code, and broader data exfiltration. A custom backdoor associated with the actor is TinyRCT, a previously undocumented lightweight C#/.NET backdoor also seen as PerfWatson2.exe. TinyRCT supports arbitrary command execution, file and directory enumeration, file exfiltration, screenshot capture, payload download, and self-deletion. It communicates over HTTP with hardcoded command-and-control infrastructure and uses AES-128-CBC encryption. Delivery observed in reporting used a malicious chrome_setup.zip archive containing a legitimate signed chrome_setup.exe, a malicious chrome_setup.exe.config file, and a rogue MyAppDomainManager.dll to abuse AppDomainManager injection, download the TinyRCT payload, and establish persistence via a scheduled task. Known alias: UAT-7237.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Energy

Where they target

Geographies tied to known operations.

🇹🇼 Taiwan

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics46 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1133×2

External Remote Services

T1190×3

Exploit Public-Facing Application

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059×3

Command and Scripting Interpreter

T1059.003×2

Windows Command Shell

T1574×2

Hijack Execution Flow

T1574.001×2

DLL

T1574.014

AppDomainManager

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1133×2

External Remote Services

T1505

Server Software Component

T1505.003×5

Web Shell

TA0004

Privilege Escalation

2 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1068×3

Exploitation for Privilege Escalation

TA0005

Stealth

4 techniques

T1036×5

Masquerading

T1070

Indicator Removal

T1070.004×4

File Deletion

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1574×2

Hijack Execution Flow

T1574.001×2

DLL

T1574.014

AppDomainManager

TA0006

Credential Access

1 technique

T1003×4

OS Credential Dumping

TA0007

Discovery

6 techniques

T1016×3

System Network Configuration Discovery

T1016.001

Internet Connection Discovery

T1033

System Owner/User Discovery

T1046×4

Network Service Discovery

T1082×2

System Information Discovery

T1083×4

File and Directory Discovery

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0009

Collection

4 techniques

T1074

Data Staged

T1113×5

Screen Capture

T1213×4

Data from Information Repositories

T1560×5

Archive Collected Data

TA0011

Command and Control

5 techniques

T1071×4

Application Layer Protocol

T1071.001×2

Web Protocols

T1090×2

Proxy

T1090.002×2

External Proxy

T1105×4

Ingress Tool Transfer

T1219×3

Remote Access Tools

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1041×4

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

TinyRCTCL-STA-1062 employs a hybrid toolkit, combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor named TinyRCT. TinyRCT, a lightweight C# backdoor, allows for arbitrary command execution, file exfiltration, screenshot capture, and self-deletion, with its code containing a simplified Chinese string indicating its origin.7Jun 26, 2026

MimikatzWhile they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor.4Jun 26, 2026

JuicyPotatoTo escalate privileges, the attackers deployed known open-source tools, such as JuicyPotato.1Jun 25, 2026

IOCS

Observables

19 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

19 IOCsView more in app

uri

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha256

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

4 total

••••••••••••••••••••••••••••••••••••••

Domains

2 total

••••••.com•••••••.ru

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

scworldNews

Jun 26, 2026

Chinese APT CL-STA-1062 targets Southeast Asia with new TinyRCT backdoor | brief | SC Media

Persistent intrusion operations in East Asia, recently focused on government and critical energy infrastructure in Southeast Asia, involving breaches, data exfiltration, reconnaissance, persistence, and lateral movement preparation.

security affairsNews

Jun 26, 2026

Chinese APT CL-STA-1062 Expands Attacks on Southeast Asian Critical Infrastructure With Custom Malware

Persistent espionage-oriented intrusions across East Asia, with a later focus on Southeast Asian government entities and state-owned critical energy infrastructure. The group uses web shells, open-source post-exploitation tools, tunneling utilities, and the custom TinyRCT backdoor for persistence, reconnaissance, lateral movement, and data exfiltration.

the hacker newsNews

Jun 26, 2026

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

Espionage-oriented intrusions targeting government entities, state-owned enterprises, and critical infrastructure in Southeast Asia and East Asia, using a hybrid toolkit of open-source utilities and the custom TinyRCT backdoor for reconnaissance, persistence, lateral movement, and data exfiltration.

cyber security newsNews

Jun 26, 2026

CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments

Conducting sustained intrusions against government agencies and state-owned energy organizations in Southeast Asia using open-source tools and the custom TinyRCT backdoor, with activity including web shell deployment, credential theft, lateral movement, privilege escalation, and data exfiltration.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping35

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables19

Domains, IPs, and hashes tied to this actor, refreshed continuously.