Date: 06/26/2026
Severity: High
Summary
Throughout 2025, Chinese-speaking threat group CL-STA-1062 targeted Southeast Asian government entities and critical energy infrastructure. The attackers have been active since at least March 2022, demonstrating a long-term regional focus. High-confidence assessments link this group to UAT-7237, which attacked Taiwanese web hosting infrastructure in mid-2025. Earlier operations by CL-STA-1062 also targeted strategic sectors across East Asia, indicating a broad geographic scope. Technically, the group utilizes a hybrid toolkit combining common open-source software with custom malware. While relying on tools like SoftEther VPN, Mimikatz, and VNT, they recently introduced a bespoke, undocumented backdoor called TinyRCT.
Indicators of Compromise (IOC) List
Domains/URLs | http://139.180.134.221/sdksdk608/1.zip http://139.180.134.221/sdksdk608/anydesk%5f0117.zip http://139.180.134.221/sdksdk608/hamcore.se2 http://139.180.134.221/sdksdk608/httpdf http://139.180.134.221/sdksdk608/vpn%5fbridge.config http://139.180.134.221/sdksdk608/win-vpn.rar http://139.180.134.221/PerfWatson2.exe |
IP Address | 139.180.134.221 202.182.102.5 45.76.210.43 45.32.113.172 |
Hash | 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c
f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1
dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b
cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3
4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384
9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://139.180.134.221/sdksdk608/win-vpn.rar" or url like "http://139.180.134.221/sdksdk608/win-vpn.rar" or siteurl like "http://139.180.134.221/sdksdk608/win-vpn.rar" or domainname like "http://139.180.134.221/sdksdk608/httpdf" or url like "http://139.180.134.221/sdksdk608/httpdf" or siteurl like "http://139.180.134.221/sdksdk608/httpdf" or domainname like "http://139.180.134.221/sdksdk608/hamcore.se2" or url like "http://139.180.134.221/sdksdk608/hamcore.se2" or siteurl like "http://139.180.134.221/sdksdk608/hamcore.se2" or domainname like "http://139.180.134.221/sdksdk608/vpn%5fbridge.config" or url like "http://139.180.134.221/sdksdk608/vpn%5fbridge.config" or siteurl like "http://139.180.134.221/sdksdk608/vpn%5fbridge.config" or domainname like "http://139.180.134.221/sdksdk608/1.zip" or url like "http://139.180.134.221/sdksdk608/1.zip" or siteurl like "http://139.180.134.221/sdksdk608/1.zip" or domainname like "http://139.180.134.221/sdksdk608/anydesk%5f0117.zip" or url like "http://139.180.134.221/sdksdk608/anydesk%5f0117.zip" or siteurl like "http://139.180.134.221/sdksdk608/anydesk%5f0117.zip" or domainname like "http://139.180.134.221/PerfWatson2.exe" or url like "http://139.180.134.221/PerfWatson2.exe" or siteurl like "http://139.180.134.221/PerfWatson2.exe" |
Detection Query 2 : | dstipaddress IN ("139.180.134.221","45.32.113.172","202.182.102.5","45.76.210.43") or srcipaddress IN ("139.180.134.221","45.32.113.172","202.182.102.5","45.76.210.43") |
Detection Query 3 : | sha256hash IN ("9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472","00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c","dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b","cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3","f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1","4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384")
|
Reference:
https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/