CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments

A Chinese-speaking threat group known as CL-STA-1062 has been running a quiet but aggressive campaign against government agencies and critical energy infrastructure across Southeast Asia.

The attackers, active since at least March 2022, spent much of 2025 targeting state-owned enterprises with a toolkit that blends widely available open-source utilities with a newly built, custom backdoor called TinyRCT.

The campaign picked up pace in September 2025, when the group broke into a Southeast Asian government network by deploying web shells and pulling database records off an internal MSSQL server.

From there, they expanded their reach by scanning a nearby government entity in the same country, looking for lateral movement opportunities and ways to deepen their foothold.

By the end of the year, between October and December 2025, the group had likely compromised at least ten separate organizations in the region.

Researchers at Unit 42, Palo Alto Networks’ threat intelligence arm, said in a report shared with Cyber Security News (CSN) that CL-STA-1062 is the same cluster previously tracked by Cisco Talos as UAT-7237, a group that targeted web hosting infrastructure in Taiwan in mid-2025.

The attackers have since shifted focus toward energy and government sectors, pointing to a broader, sustained strategy across the Asia-Pacific region.

What makes this group stand out is how they combine free-to-use tools with their own homegrown malware.

They routinely use SoftEther VPN, Mimikatz, and VNT for tunneling and credential theft, often disguising these tools as legitimate VMware executables or trusted system processes.

The introduction of TinyRCT, a previously undocumented backdoor written in C#, marks a notable escalation in the group’s offensive capabilities and reflects a willingness to build custom tools when needed.

CL-STA-1062 Hackers Use TinyRCT Backdoor

TinyRCT is a lightweight remote access trojan built specifically for Windows systems. It arrives on a victim machine through a malicious archive called chrome_setup.zip, which carries a legitimate-looking Chrome installer alongside a hidden, malicious DLL.

When the user runs the installer, a technique called AppDomainManager Injection quietly loads the malicious code inside the trusted process, keeping it largely out of plain sight.

Once the loader runs, it checks whether it is executing from the user’s Downloads folder. If not, it terminates immediately, a deliberate trick to dodge sandbox analysis environments.

If the check passes, it contacts a staging server, drops the TinyRCT payload into the local app data directory as PerfWatson2.exe, and registers a scheduled task to keep the infection alive across system reboots.

After settling in, TinyRCT checks in with its command-and-control server every ten seconds. All traffic is encrypted using AES-128, though the encryption key is hard-coded directly inside the binary.

The backdoor can run shell commands, list and read files, download payloads, capture screenshots, and erase itself using a self-destruct routine that leverages choice.exe to introduce a short delay before removing its own files.

Critical Infrastructure Under Attack

The group’s focus on energy infrastructure makes this campaign especially alarming.

Researchers found that two state-owned energy organizations in the same Southeast Asian country were actively compromised, with attackers scanning for vulnerabilities and downloading malicious payloads onto the infected networks.

Tools were frequently bundled inside password-protected RAR archives to avoid triggering security alerts.

The attackers used traceroute to map lateral movement paths to nearby government systems, and deployed JuicyPotato to escalate privileges once inside a network.

In at least one case, they compressed and exfiltrated an entire directory of web server source code before sending it to attacker-controlled servers.

A comment written in Simplified Chinese found inside TinyRCT’s binary adds to the growing evidence pointing toward Chinese-speaking actors.

Security teams in Southeast Asia, particularly in energy and government sectors, should watch for untrusted binaries running from local app data directories and unfamiliar scheduled tasks mimicking legitimate service names.

Reviewing outbound HTTP traffic for regular beaconing behavior and enforcing strict policies on where executables are permitted to run are among the most practical defensive steps available against a persistent threat like this.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments appeared first on Cyber Security News.