CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure with TinyRCT Backdoor
Unit 42 identifies a Chinese-speaking threat actor targeting government entities and critical infrastructure in Southeast Asia with a custom backdoor named TinyRCT.
Unit 42 has identified a threat actor tracked as CL-STA-1062 targeting government entities and critical infrastructure in Southeast Asia for espionage. The attackers deploy a hybrid toolkit that includes a custom backdoor named TinyRCT. The campaign leverages custom malware to compromise high-value targets in the region.
Throughout 2025, Unit 42 observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia, specifically state-owned enterprises in the energy and government sectors. The Chinese-speaking attackers behind this cluster, tracked as CL-STA-1062, have been active since at least March 2022. Unit 42 assesses with high confidence that this is the same cluster known as UAT-7237, previously reported for campaigns against web hosting infrastructure in Taiwan in mid-2025. Earlier operations also targeted strategic sectors in East Asia, indicating a broader, sustained regional focus.
From a technical standpoint, the attackers rely on a hybrid toolkit. While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor. TinyRCT's capabilities include arbitrary command execution, file enumeration and exfiltration, screen capture, and a self-destruct mechanism.
In September 2025, Unit 42 discovered that CL-STA-1062 had compromised a Southeast Asian government entity by deploying web shells and exfiltrating database information. The attackers also conducted network reconnaissance on a separate government entity in the same country, suggesting efforts to identify lateral movement opportunities. Between October and December 2025, Unit 42 observed the likely compromise of at least ten different organizations in Southeast Asia.
Since mid-2025, the threat actor focused on critical infrastructure. Unit 42 identified that a critical infrastructure entity had been under attack for several months, with activity covering the entire attack lifecycle from initial access to data exfiltration. The following month, two state-owned critical energy infrastructure entities in the same Southeast Asian country were compromised. Attackers scanned for vulnerabilities, followed by outbound requests to attacker-controlled infrastructure, downloading SoftEther VPN components and RAR archives containing tools.
The intrusions typically begin with exploiting web applications to deploy ASPX web shells, which serve as the central mechanism for executing arbitrary commands, dropping additional tooling, and conducting initial reconnaissance. The attackers frequently use tunneling tools for command and control and data exfiltration, including SoftEther VPN, yuze, and VNT, often disguised as legitimate system files such as VMware executables or XDR agents.
Palo Alto Networks customers are protected through Cortex XDR and XSIAM, Advanced WildFire, and Advanced URL Filtering and Advanced DNS Security. Organizations in Southeast Asia should remain vigilant and implement robust detection and response measures to defend against this persistent threat.