CL-STA-1062
CL-STA-1062 is a Chinese-speaking threat activity cluster tracked by Palo Alto Networks Unit 42, assessed with high confidence to be the same cluster Cisco Talos tracks as UAT-7237. The group has been active since at least March 2022 and has conducted sustained espionage-focused operations across East and Southeast Asia. Reported targeting includes government entities, state-owned enterprises, and critical infrastructure organizations, particularly state-owned critical energy infrastructure in Southeast Asia; Cisco Talos previously reported the same cluster targeting web hosting infrastructure in Taiwan in mid-2025. Observed tradecraft includes exploitation of web applications to deploy ASPX web shells, reconnaissance, lateral movement, staging and exfiltration of data, and use of outbound connections to attacker-controlled infrastructure to download payloads. Unit 42 observed exfiltration of database information and web server source code, network and system enumeration sent directly to actor-controlled infrastructure with curl, and use of traceroute to identify lateral movement paths. The cluster used a hybrid toolkit combining open-source and publicly available tools including SoftEther VPN, VNT, yuze, Mimikatz, and JuicyPotato, with some tools disguised as legitimate system files such as VMware executables or an XDR agent. The actors frequently staged data in password-protected RAR archives. A custom malware family associated with the cluster is TinyRCT, a previously undocumented C#/.NET Windows remote access Trojan also observed as PerfWatson2.exe. TinyRCT supports arbitrary command execution, file enumeration and exfiltration, screenshot capture, remote host management, encrypted HTTP command-and-control, and a self-destruct routine intended to remove forensic evidence. Unit 42 also reconstructed an infection chain using a malicious chrome_setup.zip archive containing a legitimate signed executable, a malicious .config file, and MyAppDomainManager.dll to perform AppDomainManager Injection, download PerfWatson2.exe, and establish persistence via a scheduled task. Known alias: UAT-7237.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Utilities
Tradecraft
24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
19 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Espionage activity targeting Southeast Asian government entities and critical infrastructure using a hybrid toolkit that includes the custom TinyRCT backdoor.
Persistent activity cluster conducting intrusions against government entities, state-owned enterprises, and critical energy infrastructure across Southeast Asia and East Asia, using web shells, open-source tunneling tools, and the custom TinyRCT backdoor for espionage and data exfiltration.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.