A Chinese-speaking advanced persistent threat (APT) group, identified as CL-STA-1062, has been implicated in cyber attacks targeting government entities and critical infrastructure across Southeast Asia. These operations have introduced a new custom backdoor, dubbed TinyRCT, into their arsenal.
CL-STA-1062 has been active since at least March 2022, focusing on strategic sectors in East Asia. Their recent campaigns have particularly targeted state-owned enterprises within the energy and government sectors. Notably, this group shares characteristics with UAT-7237, a hacking entity previously identified in August 2025 for attacks on web infrastructure in Taiwan.
Technically, CL-STA-1062 employs a combination of open-source tools and proprietary malware. Their toolkit includes utilities like SoftEther VPN, Mimikatz, and VNT. The addition of TinyRCT marks a significant evolution in their methods. This backdoor is capable of executing arbitrary commands, enumerating and exfiltrating files, capturing screenshots, and self-deleting to evade detection.
In a campaign observed in September 2025, the group infiltrated a Southeast Asian government entity, deploying a web shell to extract data from an MS SQL server. Concurrently, they conducted network reconnaissance on another government organization within the same country, indicating efforts to expand their access and identify further targets. Between October and December 2025, at least ten organizations in Southeast Asia fell victim to similar breaches.
Since mid-2025, CL-STA-1062 has intensified its focus on critical infrastructure. The group scans for vulnerabilities and establishes footholds using ASPX web shells, facilitating initial reconnaissance and outbound communications to attacker-controlled servers. This process often leads to the deployment of additional payloads, including SoftEther VPN components and RAR archives containing their toolset. These tools, such as Yuze (a SOCKS5 proxy) and VNT (a VPN), are frequently disguised as legitimate executables like “XDRAgent.exe,” “vmtools.exe,” and “vmwared.exe.”
Further analysis has uncovered TinyRCT, a previously undocumented .NET-based backdoor. Operating under the alias “PerfWatson2.exe,” TinyRCT enables system reconnaissance, command execution, file uploads, screenshot capture, remote control, and self-removal. It is designed to avoid detection by sandbox environments and maintains persistent communication with a remote server over HTTP, encrypting data exchanges using AES-128 in CBC mode. The malware follows a beaconing model, with a default interval of ten seconds between communications, polling the command-and-control server for instructions via GET requests and sending exfiltrated data through POST requests.
The delivery mechanism for TinyRCT involves a malicious archive named “chrome_setup.zip,” which contains a legitimate executable. This method underscores the group’s strategic use of social engineering to distribute their malware.
The emergence of TinyRCT highlights the evolving tactics of Chinese-speaking APT groups in targeting Southeast Asian entities. The combination of open-source tools with custom malware like TinyRCT demonstrates a sophisticated approach to cyber espionage. Organizations in the region must enhance their cybersecurity measures, focusing on detecting and mitigating such advanced threats to protect sensitive information and maintain operational integrity.
