Chinese-Speaking APT Uses New TinyRCT Backdoor in Southeast Asia Cyber Espionage Campaign
7 min. read 
Published on
A Chinese-speaking advanced persistent threat group is using a newly documented backdoor called TinyRCT in attacks against government and critical infrastructure targets in Southeast Asia.
The campaign was detailed in a Palo Alto Networks Unit 42 report, which tracks the activity as CL-STA-1062. The attackers have focused on state-owned enterprises, energy organizations, and government entities across the region.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Unit 42 says the group has been active since at least March 2022 and uses a mix of public tools and custom malware. The most important new discovery is TinyRCT, a lightweight .NET remote access trojan built for command execution, file theft, screen capture, and cleanup.
What Is TinyRCT?
TinyRCT is a custom Windows backdoor that gives attackers remote control over infected systems. It can run commands, list files, steal files, capture screenshots, download additional payloads, and delete traces of itself.
The malware communicates with a command-and-control server over HTTP. However, Unit 42 says it encrypts exchanged data using AES-128 in CBC mode, making the traffic harder to read without deeper inspection.
The backdoor uses a beaconing model. By default, it checks in with its command server every 10 seconds, receives instructions through GET requests, and sends stolen data through POST requests.
Who Is Behind the Campaign?
Unit 42 attributes the activity to CL-STA-1062, a Chinese-speaking intrusion cluster. The company also assesses with high confidence that CL-STA-1062 overlaps with UAT-7237, a group previously reported in Cisco Talos UAT-7237 research.
Cisco Talos described UAT-7237 in August 2025 as a Chinese-speaking APT that targeted web hosting infrastructure in Taiwan. Talos said the group focused on long-term persistence, open-source tooling, customized malware, and access to cloud and VPN infrastructure.
The newer Unit 42 findings suggest that the same broader activity has expanded from Taiwan-focused web infrastructure operations into Southeast Asian government and critical infrastructure networks.
Campaign Timeline and Targets
| Period | Observed activity | Target type |
|---|---|---|
| Since March 2022 | CL-STA-1062 activity observed across East Asia | Strategic regional sectors |
| Mid-2025 | Campaigns linked to UAT-7237 against Taiwanese web infrastructure | Web hosting and infrastructure providers |
| September 2025 | Government entity compromised, with data taken from an MS SQL server | Southeast Asian government |
| October to December 2025 | At least 10 likely compromises observed | Organizations in Southeast Asia |
| Mid-2025 onward | Critical energy infrastructure targeted through web shells and follow-on tools | State-owned energy entities |
One September 2025 incident involved a Southeast Asian government entity where attackers deployed a web shell and exfiltrated database information from an MS SQL server. During the same operation, they also performed reconnaissance against another government entity in the same country.
Unit 42 says attackers staged and exfiltrated an entire directory of web server source code in one case. Between October and December 2025, researchers observed the likely compromise of at least 10 organizations in Southeast Asia.
The activity later moved more heavily toward critical infrastructure. In one country, the attackers targeted two state-owned critical energy infrastructure organizations and used infected networks to download additional payloads from attacker-controlled systems.
How the Attack Works
The campaign often starts with attackers exploiting vulnerable web applications and placing ASPX web shells on compromised systems. These web shells let the group run commands, drop more tools, collect system details, and begin internal reconnaissance.
The attackers also use tunneling and VPN tools such as SoftEther VPN, Yuze, and VNT. These tools help with command-and-control, lateral movement, and data exfiltration, and they are often disguised as VMware files or security agent executables.
The TinyRCT delivery chain uses a malicious archive named chrome_setup.zip. The archive contains a legitimate executable, a configuration file, and a malicious DLL. This setup abuses MITRE ATT&CK AppDomainManager behavior to load the malicious DLL through a trusted .NET process.
TinyRCT Capabilities
- Runs arbitrary commands on the infected machine.
- Collects host details such as username, machine name, OS version, local IP addresses, process ID, and execution path.
- Lists directories and files for attacker review.
- Reads text files and exfiltrates binary files.
- Downloads extra files from attacker-controlled infrastructure.
- Captures screenshots from the primary display.
- Deletes its scheduled task and removes its own executable when ordered.
The loader downloads the TinyRCT payload as PerfWatson2.exe and saves it under the user’s local application data path. The filename mimics Microsoft Visual Studio telemetry naming, which may help the malware blend into a Windows environment.
To keep the malware running after reboot, the loader creates a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 with the highest available privileges. The task launches the malware whenever the user logs in.
TinyRCT also checks its execution environment. If it does not run from the expected local application data location, it exits. This behavior can help the malware avoid sandbox analysis and basic malware lab execution.
Tools and Infrastructure Seen in the Campaign
| Item | Role in the campaign |
|---|---|
| TinyRCT | Custom .NET backdoor for remote access, file theft, screenshots, and cleanup |
| ASPX web shells | Initial command execution and foothold after web application compromise |
| SoftEther VPN | Tunneling, persistence, and remote access |
| VNT | VPN and tunneling activity, sometimes disguised as VMware-related files |
| Yuze | SOCKS5 proxy use |
| Mimikatz | Credential theft activity |
| RAR archives | Tool staging and data exfiltration |
Unit 42 published several indicators tied to the activity, including TinyRCT hashes and command-and-control infrastructure. Key IP addresses include 139.180.134[.]221, 202.182.102[.]5, 45.76.210[.]43, and 45.32.113[.]172.
Security teams should review the full Unit 42 indicators and compare them against endpoint, proxy, DNS, firewall, and web server logs. Any match should trigger investigation, especially on internet-facing web servers.
The campaign also shows continuity with the earlier UAT-7237 research, where attackers relied on public and customized tools to gain persistence and move through victim environments.
Why This Matters for Southeast Asia
The campaign matters because it targets sectors that hold strategic and operational data. Government agencies and energy companies often manage sensitive records, internal applications, infrastructure plans, and source code that can support broader espionage goals.
The use of both open-source tools and custom malware also makes the activity harder to detect with simple signature-based defenses. Attackers can use common tools to blend into normal administrator activity, then deploy TinyRCT when they need more tailored access.
For defenders, the key issue is not only malware detection. Organizations also need to find exposed web applications, review suspicious scheduled tasks, hunt for unusual .NET loading behavior, and monitor for data staging in archive files.
Recommended Defensive Actions
- Patch internet-facing web applications and prioritize systems exposed to public access.
- Review web server directories for unexpected ASPX files or recently created web shells.
- Check for suspicious scheduled tasks that imitate Google, VMware, security, or system tooling.
- Search for PerfWatson2.exe outside legitimate Visual Studio paths.
- Monitor outbound HTTP traffic to suspicious IP addresses and newly seen external hosts.
- Investigate RAR archives created on web servers or application servers.
- Look for suspicious .config files placed beside trusted .NET executables.
- Use the MITRE ATT&CK technique page to map AppDomainManager injection detection opportunities.
Organizations in Southeast Asia, especially government agencies and energy operators, should treat this campaign as an active espionage risk. The combination of web shells, VPN tooling, credential theft, and a custom backdoor gives attackers several ways to maintain access after the first compromise.
The safest response is to combine patching with threat hunting. Teams should assume that vulnerable internet-facing systems may already have been probed and review logs for evidence of reconnaissance, lateral movement, tool downloads, and data exfiltration.
FAQ
TinyRCT is a custom .NET backdoor used by the CL-STA-1062 activity cluster. It can run commands, steal files, capture screenshots, download payloads, and remove traces of itself from infected Windows systems.
CL-STA-1062 is a Chinese-speaking intrusion cluster tracked by Palo Alto Networks Unit 42. Researchers assess that it overlaps with UAT-7237, a group previously reported by Cisco Talos.
The campaign targets government entities, state-owned enterprises, and critical infrastructure organizations in Southeast Asia, especially in the energy and government sectors.
Unit 42 traced one infection chain to a malicious archive named chrome_setup.zip. The archive uses a legitimate executable, a configuration file, and a malicious DLL to abuse AppDomainManager injection and download the TinyRCT payload.
Security teams should patch exposed web applications, hunt for ASPX web shells, inspect suspicious scheduled tasks, review outbound traffic to known infrastructure, and search for TinyRCT-related files and hashes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages