CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure
Palo Alto Networks, Thursday, June 25th, 2026
Unit 42 exposes CL-STA-1062, a Chinese-speaking group attacking Southeast Asian government and infrastructure targets.
This Unit 42 report details a campaign by Chinese-speaking threat actors tracked as CL-STA-1062, active since at least March 2022 against government entities and critical infrastructure in Southeast Asia.
The actors deployed a previously undocumented backdoor called TinyRCT alongside open-source tools such as SoftEther VPN and Mimikatz to compromise energy and government sector organizations.
Researchers analyze TinyRCT's capabilities, including command execution, file exfiltration, and screenshot capture. They assess the cluster as the same activity previously documented by Cisco Talos targeting Taiwanese infrastructure.