Chinese APT CL-STA-1062 targets Southeast Asia with new TinyRCT backdoor

A Chinese-speaking threat actor, identified as CL-STA-1062, has been actively conducting persistent operations in East Asia since March 2022, with a recent focus on government and critical energy infrastructure in Southeast Asia starting mid-2025, according to a report by Palo Alto Networks Unit 42. This group, previously known as UAT-7237, has been observed breaching at least 10 organizations in the region between October and December 2025, based on information published by Security Affairs.

CL-STA-1062 employs a hybrid toolkit, combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor named TinyRCT. Initial access is gained through ASPX web shells exploiting vulnerable web applications. The attackers then establish persistence using VPNs and other tools disguised as legitimate system processes. TinyRCT, a lightweight C# backdoor, allows for arbitrary command execution, file exfiltration, screenshot capture, and self-deletion, with its code containing a simplified Chinese string indicating its origin. The malware uses hardcoded C2 addresses and AES-128 CBC encryption. Delivery often involves a malicious DLL disguised within a seemingly legitimate application installer.

The group has been observed exfiltrating data, including web server source code, and conducting network reconnaissance to identify lateral movement opportunities. Attackers also leverage tools like JuicyPotato for privilege escalation, compressing exfiltrated data into password-protected RAR archives. Palo Alto Networks Unit 42 assesses that these activities will continue, with Southeast Asian energy and government organizations remaining primary targets.

Source: Security Affairs