unit42 · Crawled Jul 5, 2026
CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure
13 IoCs 1 Actors 2 Malware
Read original article ↗
AI Summary
CL-STA-1062, a Chinese-speaking threat actor group active since at least March 2022, has been targeting government entities and critical infrastructure in Southeast Asia. The group, also tracked as UAT-7237, uses a hybrid toolkit combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a custom backdoor named TinyRCT. This backdoor enables command execution, file exfiltration, screen capture, and self-destruction, and is deployed via AppDomainManager injection through a maliciously crafted archive. The campaign demonstrates a sustained regional focus, with attacks spanning from Taiwan to Southeast Asia, particularly targeting energy and government sectors.
AI-extracted · verify before operational use
Extracted Entities 3 found
Indicators of Compromise 13 extracted
| Type | Value | Detail |
|---|---|---|
| IP | 139.180.134.221 | Details → |
| IP | 202.182.102.5 | Details → |
| IP | 45.76.210.43 | Details → |
| IP | 45.32.113.172 | Details → |
| SHA-256 | 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c | Details → |
| SHA-256 | f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1 | Details → |
| SHA-256 | dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b | Details → |
| SHA-256 | cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 | Details → |
| SHA-256 | 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 | Details → |
| SHA-256 | 9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472 | Details → |
| Filename | PerfWatson2.exe | Details → |
| Filename | MyAppDomainManager.dll | Details → |
| Filename | chrome_setup.zip | Details → |
MITRE ATT&CK TTPs 10 techniques
T1003 OS Credential Dumping · Credential Access T1021 Remote Services · Lateral Movement T1055.003 Thread Execution Hijacking · Defense Evasion T1059.001 PowerShell · Execution T1071.001 Web Protocols · Command And Control T1074 Data Staged · Collection T1082 System Information Discovery · Discovery T1110 Brute Force · Credential Access T1212 Exploitation for Credential Access · Credential Access T1485 Data Destruction · Impact