A Chinese speaking advanced persistent threat group has been linked to a newly identified custom backdoor named TinyRCT that has been deployed in cyber espionage campaigns targeting government organizations and critical infrastructure across Southeast Asia. Researchers at Palo Alto Networks Unit 42 attribute the activity to a threat actor known as CL STA 1062, which has shown operational overlaps with the group UAT 7237.
Palo Alto Networks Unit 42 reported that CL STA 1062 has primarily focused on state owned enterprises operating in the government and energy sectors throughout Southeast Asia. Researchers found similarities between the group’s activities and UAT 7237, a threat actor first identified by Cisco Talos in August 2025 during attacks against web infrastructure organizations in Taiwan. Unit 42 also traced earlier campaigns linked to CL STA 1062 back to March 2022, indicating a sustained effort targeting strategic sectors across East Asia over several years. The researchers noted that the group relies on a combination of widely available open source security tools and custom developed malware. Alongside utilities such as SoftEther VPN, Mimikatz, and VNT, the attackers recently introduced TinyRCT, a previously undocumented .NET based backdoor that significantly expands their attack capabilities. TinyRCT enables attackers to execute arbitrary commands, browse and exfiltrate files, capture screenshots from compromised systems, and remove itself after completing operations to reduce forensic evidence.
One campaign identified in September 2025 involved the compromise of a Southeast Asian government organization where the attackers deployed a web shell to extract data from a Microsoft SQL Server. During the same operation, investigators observed network reconnaissance targeting another government organization within the same country, suggesting attempts to identify opportunities for lateral movement and expand access across connected networks. In one incident, the attackers staged and exfiltrated an entire directory containing web server source code from a government entity. According to Unit 42, at least ten organizations across Southeast Asia were compromised between October and December 2025. Since the middle of 2025, the group has increasingly focused on critical infrastructure organizations by scanning internet facing systems for vulnerabilities before establishing access through ASPX web shells. These web shells allowed attackers to perform reconnaissance and create outbound connections to attacker controlled infrastructure before deploying additional malware. Researchers found the attackers also delivered SoftEther VPN components and compressed RAR archives containing several open source utilities, including Yuze, which functions as a SOCKS5 proxy, and VNT, a virtual private network tool. These files were frequently disguised as legitimate software using names such as XDRAgent.exe, vmtools.exe, and vmwared.exe to reduce suspicion.
Further analysis of the attack infrastructure led researchers to identify TinyRCT, which appeared as a file named PerfWatson2.exe. The lightweight remote access trojan supports system reconnaissance, command execution, remote file uploads, screenshot collection, remote administration, and self deletion after completing assigned tasks. It also contains mechanisms designed to detect sandbox environments in an effort to avoid automated malware analysis. TinyRCT establishes communication with a remote command server located at the IP address 45.32.113.172 over HTTP while encrypting all exchanged data using AES 128 encryption in CBC mode. The malware operates through a beaconing mechanism that contacts its command server every ten seconds using HTTP GET requests to retrieve instructions, while stolen information is transmitted using HTTP POST requests. Researchers determined that TinyRCT is delivered through a malicious archive named chrome_setup.zip containing a legitimate executable, a configuration file, and a malicious DLL named MyAppDomainManager.dll. The DLL abuses an AppDomainManager injection technique to execute malicious code, which then contacts another remote server at IP address 139.180.134.221 to download the TinyRCT payload.
According to Palo Alto Networks Unit 42, the group’s toolkit reflects a practical combination of trusted open source utilities and custom developed malware tailored to specific operational requirements. The continued use of SoftEther VPN and VNT supports lateral movement within compromised environments, while the addition of TinyRCT provides greater flexibility for espionage activities through custom functionality unavailable in publicly available tools. Researchers believe the group’s ongoing focus on government agencies and critical infrastructure, together with the development of specialized malware such as TinyRCT, demonstrates a sustained commitment to cyber espionage operations across Southeast Asia. The investigation also highlights the importance of monitoring web shells, suspicious remote access utilities, and unauthorized outbound communications to identify similar attacks targeting sensitive organizations in the region.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
