Chinese APT CL-STA-1062 Expands Attacks on Southeast Asian Critical Infrastructure With Custom Malware

Chinese-speaking advanced persistent threat group CL-STA-1062 has expanded its operations to target Southeast Asian government and energy networks, leveraging open-source tools and a custom TinyRCT backdoor. Since at least March 2022, this group has been conducting persistent operations across East Asia, with a shift in focus to Southeast Asian entities from mid-2025 onward. Researchers at Palo Alto Networks Unit 42 have published a detailed report on CL-STA-1062's activities, which have also been tracked by Cisco Talos as UAT-7237 in previous campaigns. The group's use of custom malware and open-source tools indicates a high level of sophistication and adaptability. This state-aligned activity has significant implications, as it shifts the threat model from criminal to geopolitical, requiring a different approach to mitigation and response¹. The expansion of CL-STA-1062's operations to critical infrastructure in Southeast Asia matters to practitioners because it highlights the need for a tailored defense strategy against nation-state threats.