unit42 · Crawled Jul 5, 2026

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

13 IoCs 1 Actors 2 Malware
Read original article ↗

AI Summary

CL-STA-1062, a Chinese-speaking threat actor group active since at least March 2022, has been targeting government entities and critical infrastructure in Southeast Asia. The group, also tracked as UAT-7237, uses a hybrid toolkit combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a custom backdoor named TinyRCT. This backdoor enables command execution, file exfiltration, screen capture, and self-destruction, and is deployed via AppDomainManager injection through a maliciously crafted archive. The campaign demonstrates a sustained regional focus, with attacks spanning from Taiwan to Southeast Asia, particularly targeting energy and government sectors.

AI-extracted · verify before operational use

Extracted Entities 3 found

Indicators of Compromise 13 extracted

Type Value Detail
IP 139.180.134.221 Details →
IP 202.182.102.5 Details →
IP 45.76.210.43 Details →
IP 45.32.113.172 Details →
SHA-256 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c Details →
SHA-256 f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1 Details →
SHA-256 dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b Details →
SHA-256 cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 Details →
SHA-256 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 Details →
SHA-256 9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472 Details →
Filename PerfWatson2.exe Details →
Filename MyAppDomainManager.dll Details →
Filename chrome_setup.zip Details →

MITRE ATT&CK TTPs 10 techniques