CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure
Essential information
- Published
- 26/06/2026 01:11
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cl-sta-1062 energy sector juicypotato mimikatz softether vpn tinyrct
- Related entities
- 6 indicators, 1 intrusion sets (apt), 19 techniques (mitre), 3 malware
Description
Throughout 2025, Chinese-speaking threat actors tracked as CL-STA-1062 conducted extensive operations against government entities and critical infrastructure in Southeast Asia, specifically targeting state-owned enterprises in energy and government sectors. Active since March 2022, this cluster was previously identified as UAT-7237 in campaigns against Taiwan's web hosting infrastructure. The attackers employ a hybrid toolkit combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor called TinyRCT. This .NET-based backdoor provides capabilities including arbitrary command execution, file enumeration and exfiltration, screen capture, and self-destruct mechanisms. The infection chain typically begins with web application exploitation deploying ASPX web shells, followed by credential dumping, lateral movement, and data exfiltration. Between October and December 2025, at least ten organizations across Southeast Asia were compromised, demonstrating sustained regio...