CL-STA-1062: From Taiwanese Web Hosting to Power…

Unit 42 reveals CL-STA-1062's escalation: from web hosting to state energy infrastructure in Southeast Asia with a custom .NET backdoor.

On June 25, 2026, Palo Alto Networks' Unit 42 published a technical report reconstructing the evolution of CL-STA-1062, a Chinese-speaking threat actor active since March 2022. The group, assessed with high confidence as overlapping with the UAT-7237 cluster tracked by Cisco Talos for campaigns against web hosting in Taiwan, shifted its focus to government entities and critical state energy infrastructure in Southeast Asia during 2025. The technical novelty is TinyRCT: a previously undocumented C#/.NET backdoor/RAT designed for prolonged stealth and reduced forensic footprints.

Key Takeaways

CL-STA-1062 has been active since March 2022; Unit 42 links it with high confidence to UAT-7237, the Cisco Talos cluster reported for attacks on Taiwanese web hosting in mid-2025.
Between October and December 2025, at least 10 organizations in Southeast Asia were likely compromised; at least two state energy entities in the same country.
TinyRCT implements AppDomainManager injection via a malicious DLL, HTTP beaconing every 10 seconds with AES-128-CBC encryption, and conditional self-deletion.
The hybrid toolkit combines open-source tools (SoftEther VPN, Mimikatz, JuicyPotato) with custom malware, signaling technical maturation and investment in proprietary development.

Escalation from Web Hosting to Critical Infrastructure

Unit 42's reconstruction traces a defined operational path. Until mid-2025, activity attributed to CL-STA-1062 — or the overlapping UAT-7237 cluster — focused on web hosting infrastructure in Taiwan. In the second half of 2025, the group refocused operations.

In September 2025, Unit 42 detected the compromise of a government entity in Southeast Asia: deployment of web shells, data exfiltration from Microsoft SQL servers, and extended network reconnaissance reaching another government entity in the same country. In one case, attackers staged and exfiltrated an entire web server source code directory. Between October and December 2025, observation of at least 10 likely compromised organizations in the same geographic area completes the picture of a systematic operation.

The shift to critical energy infrastructure is documented by at least two compromised state energy entities in the same unnamed country. The dossier does not specify the initial access vector for these energy intrusions, nor does it identify the target country by name.

TinyRCT: Anatomy of a Custom Backdoor

TinyRCT represents the technical core of the group's evolution. Discovered as PerfWatson2.exe on an attacker-controlled server, it is a .NET binary implementing an articulated deployment chain. The entry vector passes through a chrome_setup.zip archive: inside, a legitimate chrome_setup.exe executable loads a malicious MyAppDomainManager.dll via AppDomainManager injection, a technique that exploits .NET configuration to execute code in a trusted process.

The loader DLL contacts IP address 139.180.134[.]221 to download the main payload. Once active, TinyRCT performs rigid environmental validation: it terminates immediately if not residing in %LOCALAPPDATA%. This mechanism reduces exposure in automated analysis environments.

The command-and-control channel is hosted on 45.32.113[.]172. Communication occurs via standard HTTP: polling instructions with GET, exfiltrating data with POST. Traffic is encrypted with AES-128-CBC; the key ThisIsASecretKey87654321 and a null initialization vector are hardcoded in the binary — a choice that simplifies forensic decoding but, in the operational context, has rendered the malware functionally effective. The default beaconing interval is 10 seconds.

Documented capabilities include: shell execution, file enumeration, file exfiltration, screenshot capture, remote management, and self-deletion. System collection covers username, machine name, OS version, local IPs, execution path, PID, and random GUID.

"From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit. While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor." — Unit 42 (Palo Alto Networks)

Simplified Chinese Comments and Linguistic Fingerprint

An indirect attribution element resides in the binary's metadata. CyberSecurityNews reported the presence of a simplified Chinese comment inside TinyRCT's code. This evidence, combined with geopolitical targeting and infrastructural overlap with UAT-7237, feeds Unit 42's assessment of the group's linguistic origin. No infrastructural overlaps link CL-STA-1062 to specific Chinese state apparatuses at present: attribution remains at "Chinese-speaking," not a named government entity.

Hybrid Toolkit and Operational Pragmatism

Beyond TinyRCT, the group has employed a constellation of repurposed open-source tools. SoftEther VPN, Mimikatz, and VNT have been observed across multiple intrusions, often disguised as VMware executables or XDR agents to confuse behavioral analysis. JuicyPotato was used for privilege escalation. Staging and exfiltration leveraged password-protected RAR archives.

This combination reflects a pragmatic approach: public tools for initial access and lateral movement, proprietary malware for persistence and stealth. The investment in TinyRCT — with its anti-analysis logic, regular beaconing, and self-destruction capability — signals technical maturation compared to the more opportunistic operations documented in 2024.

Immediate Actions

Monitor execution from non-standard paths: watch for .NET binary execution from %LOCALAPPDATA% or other user directories, with particular attention to processes loading DLLs named like MyAppDomainManager.dll.
Analyze regular HTTP beacon traffic: identify fixed-interval communication patterns (approximately 10 seconds) to IPs outside the authorized perimeter, with alternating GET/POST and consistent payload sizes.
Search for IoCs in the network: verify presence of documented SHA256 hashes, IPs 45.32.113[.]172 and 139.180.134[.]221, and defanged URLs associated with the campaign.
Inspect ASPX web shells: conduct periodic scans on IIS servers and exposed web applications, given the group's preference for web shell deployment as a persistent access mechanism.

The Takeaway: An Actor Abandoning Opportunism

The CL-STA-1062 case is not the discovery of a new aggressor, but the documentation of a known actor that has scaled its ambitions. From web hosting in Taiwan to power plants in a Southeast Asian state, the trajectory indicates a redefinition of the operational mandate — or of the mandate's assignment. TinyRCT is not recycled malware: it is proprietary development, with stealth logic that betrays experience in Western defensive contexts. The question Unit 42's report leaves open, and that threat intelligence teams will need to address, is whether this escalation represents an individual group repositioning or an indicator of a broader redefinition of intelligence collection priorities in the region.

Frequently Asked Questions

Does TinyRCT exploit a zero-day vulnerability?
No. TinyRCT is custom malware, not a vulnerability exploit. The initial access vector is not specified in the dossier for the energy intrusions; for other campaigns, web shell usage is documented.

Why does the backdoor self-delete?
Self-deletion is a documented function that reduces the forensic surface available to analysts after deployment, increasing the likelihood of long-term stealth.

Has the target country been identified? Sources use the formula "unnamed Southeast Asian country." The dossier does not explicitly name the state or states involved.

Sources

Information verified against cited sources and current as of publication.

Sources

Sources and references