A sophisticated Chinese-speaking advanced persistent threat (APT) group has been identified deploying a novel backdoor named TinyRCT in cyber operations targeting government and critical infrastructure sectors in Southeast Asia. The hacking entity, referred to as CL-STA-1062, has been linked to past campaigns impacting state-owned enterprises within the energy and government sectors. These activities parallel those of UAT-7237, a group first noted by Cisco Talos in 2025 for attacking web infrastructure in Taiwan.
Ongoing Cyber Threats in East Asia
According to Palo Alto Networks Unit 42, CL-STA-1062 has been consistently targeting strategic industries across East Asia since March 2022. This suggests a sustained cyber threat presence in the region. The APT relies heavily on a mixed toolkit, employing both commonly available open-source resources like SoftEther VPN, Mimikatz, and VNT, alongside custom-developed tools such as the newly discovered TinyRCT.
The TinyRCT backdoor is engineered to perform various malicious activities, including executing arbitrary commands, file enumeration and exfiltration, screen capture, and self-deletion from compromised systems.
Details of Recent Attacks
In a notable September 2025 campaign, CL-STA-1062 successfully infiltrated a Southeast Asian government entity, using a web shell for data exfiltration from an MS SQL server. The campaign also involved reconnaissance activities on a separate government body within the same nation, indicating a strategy to expand access within the network. Unit 42 reported breaching at least ten organizations in the region between October and December 2025.
Since mid-2025, the group has focused on critical infrastructure, exploiting vulnerabilities and establishing persistence using ASPX web shells. These entry points allowed further deployment of payloads, including SoftEther VPN components and disguised RAR archives with additional tools.
Technical Analysis of TinyRCT
TinyRCT, identified as a previously unknown .NET backdoor, operates through a persistent channel with a remote server, utilizing AES-128 encryption for data exchange. The backdoor includes functionalities such as system reconnaissance, command execution, file transfer, and self-concealment.
The malware communicates with its command-and-control server using a beaconing model, with a default 10-second interval between exchanges. It retrieves instructions via GET requests while transmitting extracted data through POST requests.
The delivery mechanism for TinyRCT involves a malicious archive disguised as “chrome_setup.zip,” containing a legitimate executable and a rogue DLL. This setup triggers an AppDomainManager injection attack to download and execute the backdoor.
Palo Alto Networks Unit 42 emphasizes that the presence of TinyRCT highlights the group’s capability to develop tailored tools to enhance their attack arsenal. Given the targeted nature of their campaigns and their custom malware development, the threat posed by CL-STA-1062 remains significant for Southeast Asia.
