Chinese-Speaking APT Strengthens Attacks with TinyRCT Backdoor Targeting Southeast Asia’s Critical Infrastructure
Recent cybersecurity developments have revealed that a Chinese-speaking advanced persistent threat (APT) actor, identified as CL-STA-1062, is employing a new custom backdoor known as TinyRCT. This backdoor is part of a series of cyber attacks directed at government entities and critical infrastructure across Southeast Asia, particularly targeting state-owned enterprises in the energy and government sectors.
Background on CL-STA-1062
Palo Alto Networks’ Unit 42 has linked CL-STA-1062 to previous campaigns that have been active since March 2022, indicating a sustained focus on strategic sectors in East Asia. The group has notable overlaps with UAT-7237, a hacking collective first flagged by Cisco Talos in August 2025 for its operations against web infrastructure entities in Taiwan. This connection underscores a broader trend of state-sponsored cyber activities aimed at destabilizing regional governance and infrastructure.
Technical Overview of TinyRCT
TinyRCT is a sophisticated backdoor that enables attackers to execute arbitrary commands, enumerate files, capture device screens, and self-delete from compromised hosts. The malware operates using a hybrid toolkit that includes well-known open-source tools such as SoftEther VPN, Mimikatz, and VNT, while also integrating the bespoke TinyRCT backdoor.
Unit 42’s technical report highlights that TinyRCT is capable of establishing a persistent communication channel with a remote server over HTTP, employing AES-128 encryption in CBC mode to secure data exchanges. The malware operates on a beaconing model, polling the command and control (C2) server for instructions every ten seconds, while exfiltrating data via POST requests.
Recent Campaigns and Impact
In September 2025, CL-STA-1062 successfully infiltrated a Southeast Asian government entity, deploying a web shell to exfiltrate data from an MS SQL server. During this operation, the threat actor also conducted network reconnaissance on another government entity within the same country. This indicates a methodical approach to identifying lateral movement opportunities and expanding access across multiple targets.
Unit 42 reported that between October and December 2025, at least ten different organizations in Southeast Asia were compromised, highlighting the scale and impact of these cyber operations. The group’s focus on critical infrastructure has raised alarms, as they have been scanning various entities for vulnerabilities and establishing footholds through ASPX web shells.
Delivery Mechanism and Toolset
TinyRCT is delivered via a malicious archive named “chrome_setup.zip,” which contains a legitimate executable alongside a rogue DLL used for an AppDomainManager injection attack. This technique allows the malware to download and execute “PerfWatson2.exe,” further enhancing the attacker’s capabilities.
The toolset associated with CL-STA-1062 includes components like SoftEther VPN and RAR archives containing various open-source utilities, often disguised as VMware executables. This strategic use of common tools facilitates lateral movement within compromised networks, enabling attackers to maintain persistence and expand their reach.
Conclusion
The emergence of TinyRCT as a custom backdoor in CL-STA-1062’s arsenal underscores the evolving nature of cyber threats targeting critical infrastructure in Southeast Asia. The combination of sophisticated malware and established tactics indicates that this APT will continue to pose significant risks to the region’s security landscape.
For further details on this development, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
