CL-STA-1062 Uses TinyRCT Backdoor to Target Southeast Asian Governments and Energy Firms
7 min. read 
Published on
A Chinese-speaking threat cluster tracked as CL-STA-1062 has been targeting government agencies and critical infrastructure in Southeast Asia with a custom Windows backdoor called TinyRCT. Researchers at Unit 42 said the group focused on state-owned enterprises in the energy and government sectors during 2025.
The activity is not new. The attackers have operated since at least March 2022, and Unit 42 assesses with high confidence that CL-STA-1062 is the same cluster Cisco Talos previously tracked as UAT-7237 in attacks on Taiwanese web hosting infrastructure.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The latest campaign shows a practical mix of open-source tools and custom malware. The attackers used web shells, SoftEther VPN, Mimikatz, VNT, password-protected RAR archives, and the newly documented TinyRCT backdoor to maintain access and steal data.
What CL-STA-1062 targeted
Unit 42 observed CL-STA-1062 activity against Southeast Asian government entities and critical infrastructure throughout 2025. In September 2025, the attackers compromised a government network, deployed web shells, and exfiltrated database information from an MSSQL server.
The attackers also scanned a separate government entity in the same country. That activity suggests they were looking for lateral movement paths and a wider foothold inside connected public-sector environments.
Between October and December 2025, researchers observed the likely compromise of at least 10 organizations in Southeast Asia. Two state-owned critical energy infrastructure entities in the same country were also compromised during the broader campaign.
Why TinyRCT matters
TinyRCT is a lightweight C# remote access trojan built for Windows. It gives attackers a direct channel for command execution, file discovery, file theft, screenshot capture, payload download, and cleanup.
The backdoor communicates with its command-and-control server over HTTP, but it encrypts traffic with AES-128 in CBC mode. Its default beacon interval is 10 seconds, which gives attackers frequent check-ins without needing continuous interactive access.
| Capability | What it allows attackers to do |
|---|---|
| Shell execution | Run commands on the infected Windows host |
| File listing | Enumerate directories and identify files worth stealing |
| File exfiltration | Compress, encrypt, and send files back to the C2 server |
| Screenshot capture | Collect visual information from the victim’s desktop |
| Payload download | Fetch and save additional tools from attacker infrastructure |
| Self-destruct | Remove its scheduled task and delete the PerfWatson2.exe payload |
How the TinyRCT infection chain works
The TinyRCT infection chain starts with a malicious archive named chrome_setup.zip. The archive contains a legitimate signed Chrome installer, a configuration file, and a malicious DLL named MyAppDomainManager.dll.
When the user runs the installer, the .NET runtime reads the nearby configuration file and loads the malicious DLL. This technique matches AppDomainManager hijacking, where attackers abuse .NET application loading behavior to run their own code inside a trusted process.
The loader first checks whether it runs from the user’s Downloads folder. If that check fails, it stops, which helps the malware avoid sandboxes or analysis environments where files often run from different paths.
Persistence and command-and-control behavior
After the loader passes its environment check, it contacts the staging server and downloads TinyRCT as PerfWatson2.exe into the user’s local application data directory. That filename mimics a legitimate Visual Studio telemetry component.
The loader then creates a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 with a GUID. The task runs at user logon with the highest available privileges, helping the infection survive reboots.
TinyRCT registers the infected host by collecting the username, machine name, operating system version, local IP addresses, process ID, execution path, and a randomly generated bot identifier. It encrypts that profile and sends it to the attacker’s server.
Open-source tools helped the attackers move inside networks
CL-STA-1062 did not rely only on TinyRCT. The group also used widely available tools for tunneling, credential theft, reconnaissance, and privilege escalation.
The earlier Cisco Talos analysis of UAT-7237 also described a Chinese-speaking group focused on long-term persistence, VPN access, credential extraction, and selective web shell deployment. Those overlaps support Unit 42’s assessment that the clusters are the same activity group.
- SoftEther VPN was used for tunneling and persistent access.
- VNT was disguised as VMware-related files in some activity.
- Mimikatz and related techniques supported credential theft.
- JuicyPotato helped with privilege escalation.
- Traceroute helped map possible lateral movement paths.
- Password-protected RAR archives helped stage tools and stolen files.
Why the campaign is serious for Southeast Asia
The campaign matters because it hit government and energy organizations, not only ordinary enterprise targets. These sectors often hold sensitive operational, policy, identity, and infrastructure data.
In one case, the attackers compressed and exfiltrated an entire web server source-code directory. That kind of theft can help attackers find more vulnerabilities, build future intrusion paths, or compromise related systems.
The Unit 42 report also notes that CL-STA-1062 activity has expanded from Taiwan-linked operations to government and critical infrastructure targets in Southeast Asia. That points to a broader regional espionage effort across the Asia-Pacific region.
Indicators defenders should review
| Indicator type | Indicator | Description |
|---|---|---|
| SHA256 | 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c | chrome_setup.zip archive |
| SHA256 | 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 | TinyRCT backdoor |
| SHA256 | cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 | TinyRCT downloader |
| IPv4 | 139.180.134[.]221 | Staging server used in the reported campaign |
| IPv4 | 45.32.113[.]172 | TinyRCT primary C2 server |
| File name | PerfWatson2.exe | TinyRCT payload masquerading as Visual Studio telemetry |
| File name | MyAppDomainManager.dll | Malicious DLL used in the loader chain |
| Scheduled task | GoogleUpdaterTaskSystem140.0.7272.0 | Persistence task created by the loader |
How security teams should respond
Organizations in Southeast Asia, especially government and energy operators, should review exposed web applications first. Unit 42 says the intrusions typically began with the exploitation of web applications to deploy ASPX web shells.
Defenders should also hunt for untrusted executables running from local application data directories, suspicious scheduled tasks, and regular outbound HTTP beaconing. MITRE’s AppDomainManager technique page recommends watching for unusual .NET configuration changes, unsigned DLL loads, and trusted processes loading unexpected assemblies.
- Search for chrome_setup.zip, MyAppDomainManager.dll, and PerfWatson2.exe on Windows endpoints.
- Review scheduled tasks that impersonate Google, VMware, Visual Studio, or security products.
- Investigate outbound connections to reported C2 IP addresses.
- Audit IIS and web application servers for ASPX web shells.
- Check for SoftEther VPN, VNT, Mimikatz, fscan, JuicyPotato, and password-protected RAR archives.
- Review MSSQL logs and web server directories for suspicious exports or archive creation.
- Rotate exposed credentials and inspect domain admin activity after any confirmed compromise.
What makes CL-STA-1062 difficult to detect?
The group’s tradecraft relies on blending custom malware with tools that administrators may recognize. SoftEther VPN, remote access tools, and command-line utilities can look legitimate unless teams correlate them with unusual paths, names, parent processes, and destinations.
The attackers also disguise tools as VMware executables or trusted service names. This makes simple filename-based detection weak, especially in environments that already use virtualization and remote administration software.
The safest approach combines endpoint controls, network inspection, identity monitoring, and web server hardening. TinyRCT gives CL-STA-1062 a compact backdoor, but the wider intrusion pattern still leaves signs across scheduled tasks, outbound traffic, archives, web shells, and credential use.
FAQ
CL-STA-1062 is a Chinese-speaking threat cluster tracked by Unit 42. Researchers assess with high confidence that it overlaps with Cisco Talos’ UAT-7237 activity group.
TinyRCT is a lightweight C# remote access trojan for Windows. It can run commands, list and steal files, capture screenshots, download payloads, and delete itself.
The campaign targeted government entities and critical infrastructure in Southeast Asia, including state-owned organizations in the energy sector.
The loader downloads TinyRCT as PerfWatson2.exe and creates a scheduled task that runs the malware at user logon with high privileges.
Defenders should check exposed web applications, ASPX web shells, suspicious scheduled tasks, untrusted binaries in local app data paths, outbound beaconing, and tools such as SoftEther VPN, VNT, Mimikatz, and JuicyPotato.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages