Emerging ThreatsMalware & Ransomware

Chinese Hackers Target Southeast Asia's Energy, Government Sectors

Analyst 207||Source: Unit42
Government building with technology infrastructure in background.

"The encryption key (ThisIsASecretKey87654321) and a null Initialization Vector (IV) are hard-coded directly within the binary." — Unit 42, Palo Alto Networks

Who CL-STA-1062 has been targeting and when

Unit 42 observed a coordinated campaign throughout 2025 that targeted state-owned enterprises in the energy and government sectors in Southeast Asia. The cluster, tracked as CL-STA-1062 and active since at least March 2022, was assessed with high confidence to be the same activity Cisco Talos labeled UAT-7237 for its mid-2025 campaigns against web hosting infrastructure in Taiwan. Unit 42 reports that, between October and December 2025, at least ten different organizations in Southeast Asia were likely compromised, and in September 2025 attackers deployed web shells and exfiltrated database information from a Southeast Asian government entity.

Tactics observed across the attack lifecycle

Intrusions typically began with exploitation of web applications to deploy ASPX web shells, which actors used for arbitrary command execution, to drop additional tooling and to perform reconnaissance. Unit 42 recorded curl commands that sent enumeration results directly to actor-controlled IP addresses. The cluster used a blend of open-source and custom tools — frequent items included SoftEther VPN, Mimikatz and VNT — and operators adapted techniques to the target environment, disguising tunneling binaries as legitimate system files such as VMware executables or an XDR agent.

The TinyRCT backdoor: capabilities, fingerprints, and infrastructure

Unit 42 recovered a previously undocumented .NET backdoor, identified internally as TinyRCT, hosted on infrastructure at 139.180.134[.]221. TinyRCT is a lightweight C# RAT with capabilities for arbitrary command execution, file enumeration and exfiltration, screen capture and a self-destruct mechanism that removes forensic artifacts. Notable technical details published by Unit 42 include:

  • Environment checks: the binary terminates unless executed from %LOCALAPPDATA%; the loader validates execution from %USERPROFILE%\\Downloads before fetching the payload.
  • Command-and-control: TinyRCT registers to a C2 at 45.32.113[.]172 using HTTP and beacons on a default 10-second sleep interval; communication is encrypted with AES-128-CBC using a hard-coded key (ThisIsASecretKey87654321) and a null IV.
  • Command set: shell execution via cmd.exe, configuration updates (sleep interval), directory/file listing, read text file, download file, exfiltrate binary files (gzip + AES, sent in 40 KB chunks), screen capture (JPEG → gzip → AES), and self-destruct which deletes a scheduled task and removes the executable using a choice.exe delay sequence.
  • Persistence and loader behavior: the initial delivery used chrome_setup.zip containing a legitimate chrome_setup.exe, a malicious chrome_setup.exe.config, and a MyAppDomainManager.dll that performs AppDomainManager injection; the loader saves PerfWatson2.exe to %LOCALAPPDATA% and creates a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 {{ACE7A46F-50FD-481C-AB32-3D838871DB40}} configured to run at logon with highest privileges.

Indicators of compromise and infrastructure that defenders can watch

Unit 42 published network and file indicators tied to this activity cluster. Key IPv4 addresses include 139.180.134[.]221 and 45.32.113[.]172; other addresses observed were 202.182.102[.]5 and 45.76.210[.]43. URLs on the 139.180.134[.]221 host included hxxp[:]//139.180.134[.]221/PerfWatson2.exe and multiple archive and SoftEther-related paths (for example, /sdksdk608/win-vpn.rar). File hashes released include chrome_setup.zip (00e09754...), TinyRCT (4e1f8888...), and the TinyRCT downloader (cbfe8de6...), among others listed by Unit 42.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Unit 42 notes that execution can be blocked by strict behavioral monitoring and execution restrictions on untrusted binaries; Cortex XDR and XSIAM protections and Advanced WildFire updates are specifically cited as defenses that detect or prevent TinyRCT execution and related tooling. Teams should look for AppDomainManager injection patterns, scheduled tasks named like GoogleUpdaterTaskSystem..., and outbound connections to the provided IPs and URLs.
  • Policymakers and regulators: the activity focused on state-owned energy and government targets and built on operations spanning East Asia since 2022; this sustained targeting of critical infrastructure and government systems highlights cross-border operational persistence tied to a single identified cluster.
  • Affected enterprises (energy and government organizations in Southeast Asia): Unit 42’s telemetry shows full lifecycle intrusions leading to data exfiltration, staged source-code theft from web servers, and lateral reconnaissance between government entities. Organizations concerned about compromise are directed to contact Unit 42 Incident Response using the regional contact numbers provided by Palo Alto Networks.

The record Unit 42 provides ties a pragmatic toolset — open-source tunneling and credential tools — to a bespoke .NET backdoor with hard-coded cryptography and environment checks that hinder analysis. Those specifics — the AppDomainManager delivery, the scheduler and task name, the PerfWatson2 executable and the hard-coded AES key — give defenders concrete signals to hunt. Unit 42 has shared these findings with the Cyber Threat Alliance to accelerate protections; organizations in the affected sectors should use the published IPs, URLs and hashes to search logs and consider the countermeasures referenced by Unit 42.

Source: Unit 42 — CL-STA-1062 TinyRCT backdoor

Chinese HackersEmerging ThreatsEnergy SectorNation-StatePalo Alto NetworksSoutheast AsiaUnit 42Government SectorCL-STA-1062UAT-7237
Related Intelligence

Continue Reading

Small business workstation with computer in foreground and subtle tech hints.

Cyberattacks on SMBs Surge via AI Tool Lures

Small and medium-sized businesses are under siege, with a staggering 33,352 cyberattacks detected in just four months as scammers disguise malware as popular AI tools. This alarming surge highlights how quickly cybercriminals are leveraging the latest tech trends to target vulnerable businesses.

Analyst 207
Corporate office building with subtle network infrastructure hint.

Mistic Backdoor Exposes Link to Corporate Network Access Broker

Meet Mistic, a sneaky new backdoor that allows attackers to secretly access and control corporate networks for months on end, all while erasing its digital tracks. This stealthy threat can execute remote payloads in memory, upload and download files, and even self-destruct to avoid detection.

Analyst 207
Authorities in formal attire gather in a briefing room with subtle tech infrastructure in the background.

Poland Disrupts SIM-Swapping Gang Linked to Crypto Heists

In a major breakthrough, Polish authorities have dismantled a notorious SIM-swapping gang that used social engineering and specialized software to orchestrate a string of crypto heists, with four suspects now facing charges. The successful takedown was made possible through a collaborative effort with the FBI and Homeland Security Investigations.

Analyst 207
Dimly lit office cubicle with scattered papers, open laptop, and concerned coworkers in the background.

Huntress Insider Leak Exposes Potential Security Breach

A shocking security breach at Huntress has come to light, with a former analyst claiming that a colleague may have compromised the company's integrity by passing sensitive law enforcement communications to a notorious cybercriminal. The explosive allegations have left many questions unanswered about the breach and its potential impact.

Analyst 207