"From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit," Unit 42 said — and that hybrid now includes a previously undocumented .NET backdoor called TinyRCT.
CL-STA-1062 and the campaign profile in Southeast Asia
Palo Alto Networks Unit 42 attributes a string of intrusions against government entities and state-owned energy firms in Southeast Asia to a Chinese-speaking advanced persistent threat actor it calls CL-STA-1062. Unit 42 notes overlaps between CL-STA-1062 and a group labeled UAT-7237, which Cisco Talos first flagged in August 2025 in connection with web infrastructure targeting in Taiwan. Unit 42 also traces CL-STA-1062 activity back to operations against strategic sectors in East Asia since March 2022.
TinyRCT: a lightweight .NET backdoor with beaconing C2
Unit 42 discovered a bespoke backdoor they named TinyRCT (observed as "PerfWatson2.exe"). The backdoor is described as lightweight but capable: it can execute arbitrary commands, enumerate and exfiltrate files, capture screenshots, enable remote control, and remove itself from a compromised host. TinyRCT implements a beaconing model, polling a remote server at a default 10-second sleep interval. It uses HTTP GET requests to retrieve instructions and POST requests to send exfiltrated data, and it encrypts exchanged data using AES-128 in CBC mode. Unit 42 observed communication to an IP address listed as 45.32.113[.]172.
Delivery chain, toolset and persistence techniques
Unit 42 reports the attackers mix widely available open-source tools with custom code. Observed open-source and third-party utilities include SoftEther VPN, Mimikatz, VNT (a VPN), and Yuze (a SOCKS5 proxy). These were often disguised as benign executables such as "XDRAgent.exe," "vmtools.exe," and "vmwared.exe" or packaged in RAR archives.
TinyRCT was deployed via a malicious archive named "chrome_setup.zip" that contained a legitimate executable ("chrome_setup.exe"), a configuration file ("chrome_setup.exe.config"), and a rogue DLL ("MyAppDomainManager.dll"). Unit 42 says the DLL is used to trigger an AppDomainManager injection attack to load the malicious DLL, which acts as a downloader that contacts 139.180.134[.]221 to fetch "PerfWatson2.exe." Unit 42 also notes the backdoor takes steps to avoid running in sandboxed environments.
Observed intrusions, web shells and data theft
Unit 42 describes a September 2025 campaign in which the actor breached a Southeast Asian government entity, deployed an ASPX web shell and exfiltrated data from an MS SQL server. In the same country the actors conducted network reconnaissance on a separate government entity, staging and exfiltrating an entire directory of web server source code in one case. Unit 42 detected the group breaching at least 10 different organizations in Southeast Asia between October and December 2025.
Since at least mid-2025, Unit 42 observed CL-STA-1062 scanning critical infrastructure entities in the region for vulnerabilities, using ASPX web shells to establish an initial foothold, and executing outbound requests from infected networks to attacker-controlled infrastructure. Those outbound connections led to additional payloads — including SoftEther components and archives containing the group's toolset.
What this means for technologists, government operators, and critical infrastructure owners
- Technologists and security teams: Expect a blended threat that pairs off‑the‑shelf tooling (SoftEther, VNT, Yuze, Mimikatz) with bespoke implants like TinyRCT. Detection efforts must account for AppDomainManager DLL injection, web-shell persistence and short beaconing intervals (default 10 seconds) to C2.
- Government operators and critical infrastructure owners: The actor has demonstrated the ability to exfiltrate MS SQL data and entire web server source directories after gaining access via ASPX web shells, indicating risk to code repositories and public-facing applications.
- Incident responders and network defenders: Indicators observed by Unit 42 include the downloader contact to 139.180.134[.]221, C2 at 45.32.113[.]172, and artifacts such as "chrome_setup.zip," "PerfWatson2.exe," and "MyAppDomainManager.dll" that can be hunted for in environments.
Unit 42 characterized the cluster as pragmatic in tool selection — leveraging open-source utilities for movement and reconnaissance while developing TinyRCT to deliver tailored capabilities. Their discovery of the backdoor and the group's repeated focus on energy and government targets suggest the actor intends to maintain operations in the region.
As Unit 42 concluded, the combination of targeting critical infrastructure and custom malware underlines an enduring threat. The record in Unit 42's analysis documents a hybrid approach — web shells and commodity tools to gain and expand access, followed by a bespoke implant designed for discrete, encrypted exfiltration and stealthy removal.
