Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign - The Hacker News

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign Ravie LakshmananJun 26, 2026Cyber Espionage / Malware A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks Unit 42 said shares overlaps with UAT-7237, a hacking group that was first flagged by Cisco Talos in August 2025 in relation to a campaign directed against web infrastructure entities in Taiwan. Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region. "From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit," Unit 42 said in a technical report. "While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor." TinyRCT is equipped to run arbitrary commands, enumerate files and exfiltrate them, capture the device's screen, and delete itself from the compromised host. In one campaign detected in September 2025, the threat actor is said to have infiltrated a Southeast Asian government entity and deployed a web shell to exfiltrate data from an MS SQL server. During the same attack, the threat actors have been found to conduct network reconnaissance on a separate government entity in the same country. "This suggests an effort to identify lateral movement opportunities and broaden their access. In one case, we observed the attacker staging and exfiltrating an entire directory of web server source code from the government entity," Unit 42 said, adding it detected the breach of at least 10 different organizations in Southeast Asia between October and December 2025. Since at least mid-2025, CL-STA-1062 has trained its sights on the critical infrastructure, with the adversary scanning multiple entities in the region for vulnerabilities and then establishing a foothold via ASPX web shells that facilitate initial reconnaissance and outbound requests from the infected networks to attacker-controlled infrastructure, leading to the deployment of additional payloads. This includes SoftEther VPN components and RAR archives containing the group's toolset, including open-source utilities such as Yuze (a SOCKS5 proxy) and VNT (a VPN), often disguising them as VMware executables or an XDR agent (e.g., "XDRAgent.exe," "vmtools.exe," and "vmwared.exe"). Further analysis of the campaign's infrastructure has led to the discovery of a previously undocumented .NET backdoor dubbed TinyRCT ("PerfWatson2.exe"), a lightweight remote access trojan that enables system reconnaissance, command execution, file uploads, screenshot capture, remote control, and wipe traces of itself, while taking steps to avoid running in sandboxed environments. It establishes a persistent communication channel with a remote server ("45.32.113[.]172") over HTTP, but encrypts the exchanged data using AES-128 encryption in CBC mode. "The malware operates on a beaconing model, with a default 10-second sleep interval between requests," Unit 42 explained. "It polls the C2 server for instructions using GET requests, while it sends exfiltrated data via POST requests." As for how TinyRCT is delivered, it takes the form of a malicious archive named "chrome_setup.zip" containing a legitimate executable ("chrome_setup.exe"), a configuration file ("chrome_setup.exe.config"), and a rogue DLL ("MyAppDomainManager.dll") that's used to trigger an AppDomainManager injection attack to load the malicious DLL, which functions as a downloader by contacting "139.180.134[.]221" to retrieve "PerfWatson2.exe." "The combination of tools observed in this activity cluster reflects a pragmatic approach to tool selection and attack capabilities," Unit 42 concluded. "The attackers behind this cluster continue to leverage common open-source tools such as SoftEther VPN and VNT to facilitate lateral movement." "Our discovery of the TinyRCT backdoor in the attackers' infrastructure underscores their ability to customize tools to gain specific capabilities. The combination of targeting critical infrastructure and the development of custom malware suggests that CL-STA-1062 activity will continue to pose a threat to the region." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, critical infrastructure, cyber espionage, Government, Malware, Web Shell ⚡ Top Stories This Week New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Load More ▼ ⭐ Featured Resources Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check [Watch Demo] See Which Security Gaps Attackers Could Exploit First Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown