CL-STA-1062 is a Chinese-speaking threat actor cluster active since March 2022, targeting Southeast Asian governments and critical infrastructure, especially state-owned energy and government enterprises. Their toolkit includes open-source tools such as SoftEther VPN and Mimikatz, combined with a custom .NET backdoor called TinyRCT. TinyRCT provides capabilities for arbitrary command execution, file enumeration and exfiltration, screen capture, and self-destruct mechanisms. The infection vector involves exploiting web applications to deploy ASPX web shells, enabling initial access, followed by credential dumping and lateral movement within networks. The group has demonstrated sustained operations with at least ten organizations compromised in late 2025. There are no known exploits in the wild, and no patches or fixes are applicable as this is an adversary campaign rather than a software vulnerability.

The threat actor CL-STA-1062 compromises government and critical infrastructure organizations in Southeast Asia, enabling unauthorized command execution, credential theft, lateral movement, and data exfiltration. The use of a custom backdoor and multiple open-source tools facilitates persistent access and potential disruption or espionage against targeted entities. The impact includes loss of sensitive data, operational disruption, and potential damage to critical infrastructure sectors.

No official patches or fixes are applicable as this is an adversary campaign involving exploitation of web applications and deployment of malware. Organizations should focus on securing web applications against exploitation, monitoring for indicators of compromise such as ASPX web shells, and implementing strong credential protection and network segmentation to limit lateral movement. Refer to the vendor advisory and threat intelligence sources for updated detection and response guidance. Patch status is not applicable; mitigation relies on defensive security controls and incident response.