APT / THREAT GROUP
CL-STA-1020
1
aliases
Last seen:Jun 5, 2026
Intelligence Profile
CL-STA-1020 targets Southeast Asian government networks, employing AWS Lambda Function URLs configured with AuthType: NONE for stealthy command-and-control communication. The actor has been observed collecting sensitive information from governmental entities, including data on tariffs and trade disputes. An investigation revealed a new Windows backdoor named HazyBeacon, which utilizes this novel C2 technique. This activity cluster has demonstrated significant efforts to remain undetected while executing its operations.
Threat Analysis
CL-STA-1020 is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases1
SourceMalpedia
Also Known As
CL-STA-1020
Research Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.