This report details the persistent activities of CL-STA-1062, a Chinese-speaking threat actor group also known as UAT-7237, which has been actively targeting government entities and critical infrastructure in Southeast Asia and East Asia since 2022. The group primarily focuses on the energy and government sectors. Their advanced toolkit combines widely available open-source tools, such as SoftEther VPN and VNT, with a previously undocumented bespoke backdoor identified as TinyRCT.
TinyRCT is a lightweight, C#-based Remote Access Trojan (RAT) designed for surveillance and remote management. Its capabilities include executing arbitrary commands, enumerating and exfiltrating files, capturing screenshots, and a self-destruct mechanism to erase forensic evidence. Initial compromise typically involves exploiting web applications to deploy web shells, followed by network reconnaissance, privilege escalation using tools like JuicyPotato, and data exfiltration, often compressed into password-protected archives. The infection chain for TinyRCT leverages AppDomainManager Injection via a malicious chrome_setup.zip archive, achieving persistence through a scheduled task.
The CL-STA-1062 group's blend of established open-source tools and custom malware, alongside their strategic targeting of critical infrastructure, highlights an evolving and significant cyber threat. Organizations in the Asia-Pacific region, particularly within the energy and government sectors, are advised to enhance their vigilance and defensive measures against these sophisticated and sustained campaigns.
Top comments (0)