A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia.
The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks Unit 42 said shares overlaps with UAT-7237, a hacking group that was first flagged by Cisco Talos in August 2025 in relation to a campaign directed against web infrastructure entities in Taiwan.
Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region.
“From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit,” Unit 42 said in a technical report. “While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor.”
TinyRCT is equipped to run arbitrary commands, enumerate files and exfiltrate them, capture the device’s screen, and delete itself from the compromised host.
In one campaign detected in September 2025, the threat actor is said to have infiltrated a Southeast Asian government entity and deployed a web shell to exfiltrate data from an MS SQL server. During the same attack, the threat actors have been found to conduct network reconnaissance on a separate government entity in the same country.
“This suggests an effort to identify lateral movement opportunities and broaden their access. In one case, we observed the attacker staging and exfiltrating an entire directory of web server source code from the government entity,” Unit 42 said, adding it detected the breach of at least 10 different organizations in Southeast Asia between October and December 2025.
Since at least mid-2025, CL-STA-1062 has trained its sights on the critical infrastructure, with the adversary scanning multiple entities in the region for vulnerabilities and then establishing a foothold via ASPX web shells that facilitate initial reconnaissance and outbound requests from the infected networks to attacker-controlled infrastructure, leading to the deployment of additional payloads.
This includes SoftEther VPN components and RAR archives containing the group’s toolset, including open-source utilities such as Yuze (a SOCKS5 proxy) and VNT (a VPN), often disguising them as VMware executables or an XDR agent (e.g., “XDRAgent.exe,” “vmtools.exe,” and “vmwared.exe”).
Further analysis of the campaign’s infrastructure has led to the discovery of a previously undocumented .NET backdoor dubbed TinyRCT (“PerfWatson2.exe”), a lightweight remote access trojan that enables system reconnaissance, command execution, file uploads, screenshot capture, remote…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
