Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

Summary

A Chinese-speaking APT group, identified as CL-STA-1062, is actively targeting government entities and critical infrastructure in Southeast Asia using a new custom backdoor named TinyRCT. This group, which shows overlaps with UAT-7237, has been observed conducting cyber espionage activities since at least March 2022, with recent campaigns in late 2025 focusing on data exfiltration and network reconnaissance.

Full text

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign Ravie LakshmananJun 26, 2026Cyber Espionage / Malware A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks Unit 42 said shares overlaps with UAT-7237, a hacking group that was first flagged by Cisco Talos in August 2025 in relation to a campaign directed against web infrastructure entities in Taiwan. Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region. "From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit," Unit 42 said in a technical report. "While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor." TinyRCT is equipped to run arbitrary commands, enumerate files and exfiltrate them, capture the device's screen, and delete itself from the compromised host. In one campaign detected in September 2025, the threat actor is said to have infiltrated a Southeast Asian government entity and deployed a web shell to exfiltrate data from an MS SQL server. During the same attack, the threat actors have been found to conduct network reconnaissance on a separate government entity in the same country. "This suggests an effort to identify lateral movement opportunities and broaden their access. In one case, we observed the attacker staging and exfiltrating an entire directory of web server source code from the government entity," Unit 42 said, adding it detected the breach of at least 10 different organizations in Southeast Asia between October and December 2025. Since at least mid-2025, CL-STA-1062 has trained its sights on the critical infrastructure, with the adversary scanning multiple entities in the region for vulnerabilities and then establishing a foothold via ASPX web shells that facilitate initial reconnaissance and outbound requests from the infected networks to attacker-controlled infrastructure, leading to the deployment of additional payloads. This includes SoftEther VPN components and RAR archives containing the group's toolset, including open-source utilities such as Yuze (a SOCKS5 proxy) and VNT (a VPN), often disguising them as VMware executables or an XDR agent (e.g., "XDRAgent.exe," "vmtools.exe," and "vmwared.exe"). Further analysis of the campaign's infrastructure has led to the discovery of a previously undocumented .NET backdoor dubbed TinyRCT ("PerfWatson2.exe"), a lightweight remote access trojan that enables system reconnaissance, command execution, file uploads, screenshot capture, remote control, and wipe traces of itself, while taking steps to avoid running in sandboxed environments. It establishes a persistent communication channel with a remote server ("45.32.113[.]172") over HTTP, but encrypts the exchanged data using AES-128 encryption in CBC mode. "The malware operates on a beaconing model, with a default 10-second sleep interval between requests," Unit 42 explained. "It polls the C2 server for instructions using GET requests, while it sends exfiltrated data via POST requests." As for how TinyRCT is delivered, it takes the form of a malicious archive named "chrome_setup.zip" containing a legitimate executable ("chrome_setup.exe"), a configuration file ("chrome_setup.exe.config"), and a rogue DLL ("MyAppDomainManager.dll") that's used to trigger an AppDomainManager injection attack to load the malicious DLL, which functions as a downloader by contacting "139.180.134[.]221" to retrieve "PerfWatson2.exe." "The combination of tools observed in this activity cluster reflects a pragmatic approach to tool selection and attack capabilities," Unit 42 concluded. "The attackers behind this cluster continue to leverage common open-source tools such as SoftEther VPN and VNT to facilitate lateral movement." "Our discovery of the TinyRCT backdoor in the attackers' infrastructure underscores their ability to customize tools to gain specific capabilities. The combination of targeting critical infrastructure and the development of custom malware suggests that CL-STA-1062 activity will continue to pose a threat to the region." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Advanced Persistent Threat, critical infrastructure, cyber espionage, Government, Malware, Web Shell ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• ip — 45.32.113[.]172
• ip — 139.180.134[.]221
• malware — TinyRCT
• malware — PerfWatson2.exe
• mitre_attack — T1059.005

Entities