Cyber Security

Chinese-Speaking APT Uses New TinyRCT Backdoor in Southeast Asia Campaign

IRavie LakshmananJune 26, 2026Cyber​​ Espionage / Malware

A Chinese-speaking advanced threat actor (APT) has linked to a new custom backdoor called TinyRCT as part of a series of cyber attacks targeting government companies and critical infrastructure in Southeast Asia.

This project, which is aimed mainly at public companies in the energy sector and the government, is said to be carried out by a threat actor named. CL-STA-1062Palo Alto Networks Unit 42 said shares overlap with UAT-7237, a hacker group first flagged by Cisco Talos in August 2025 in connection with a campaign directed against web infrastructure organizations in Taiwan.

Unit 42 said it has also seen CL-STA-1062 missions in previous missions targeting strategic sectors in East Asia since March 2022, suggesting a broader but ongoing focus on the region.

“From a technical perspective, attackers behind CL-STA-1062 rely on integrated tools,” Unit 42 said in a technical report. “While they often use traditional open source tools like SoftEther VPN, Mimikatz, and VNT, they recently introduced TinyRCT, a bespoke, previously undocumented backdoor.”

TinyRCT is equipped to execute arbitrary commands, list files and extract them, capture the device’s screen, and remove itself from the compromised host.

In one campaign discovered in September 2025, a threat actor allegedly infiltrated a Southeast Asian government and sent a web shell to extract data from an MS SQL server. During the same attack, the threat actors were found to be conducting a network investigation in a different government organization in the same country.

“This suggests an effort to identify the possibilities of sequential movement and increase its reach. In some cases, we have seen an attacker editing and extracting the entire source code index of a web server from a government organization,” said Unit 42, adding that it found breaches of at least 10 organizations in Southeast Asia between October and December 2025.

Since at least the middle of 2025, CL-STA-1062 has trained its equipment on critical infrastructure, the enemy is scanning many businesses in the region for vulnerabilities and establishing an environment with ASPX web shells that facilitate the initial detection and outgoing requests from infected networks to route the infrastructure controlled by the attackers, resulting in additional payments for the infrastructure.

This includes SoftEther VPN components and RAR archives containing the group’s toolset, including open source utilities such as Yuze (SOCKS5 proxy) and VNT (VPN), which often disguise themselves as VMware executables or XDR agents (eg, “XDRAgent.exe,” “vmtools.mwaexe”).

Further analysis of the campaign’s infrastructure led to the discovery of a previously illegal .NET backdoor named TinyRCT (“PerfWatson2.exe”), a lightweight remote access trojan that enables program re-examination, command execution, file uploads, screenshot capture, remote control, and trace deletion to bypass the sandbox.

Establishes a persistent communication channel with the remote server (“45.32.113[.]172”) over HTTP, but encrypts the exchanged data using AES-128 encryption in CBC mode.

“The malware operates in a light model, with a default sleep interval of 10 seconds between requests,” explained Unit 42. “It polls the C2 server for instructions using GET requests, while sending filtered data via POST requests.”

As for how TinyRCT is delivered, it takes the form of a malicious archive called “chrome_setup.zip” which contains a legitimate executable (“chrome_setup.exe”), a configuration file (“chrome_setup.exe.config”), and a malicious DLL (“MyAppDomainManager.dll”) used to attack the AppDomain used to install the AppDomain to load the malicious DLL to install the DLL by touching “139.180.134[.]221” to find “PerfWatson2.exe.”

“The combination of tools seen in this batch of work shows a logical approach to choosing tools and attack capabilities,” Unit 42 concluded. “The attackers behind this batch continue to use common open source tools like SoftEther VPN and VNT to facilitate coordinated movements.”

“Our discovery of the TinyRCT backdoor in the attackers’ infrastructure underscores their ability to customize tools for specific capabilities. The combination of targeting critical infrastructure and the development of custom malware suggests that CL-STA-1062’s activity will continue to be a threat to the region.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button