Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

Get the Geopolitics newsletter
Daily geopolitics — wars, elections, sanctions, the diplomatic moves that move markets. Free.
- CL-STA-1062 has been linked to a new custom .NET backdoor called TinyRCT targeting government entities and critical infrastructure in Southeast Asia, particularly state-owned energy enterprises
- Unit 42 attributed the activity to CL-STA-1062, which shares overlaps with UAT-7237 — a group Cisco Talos flagged in August 2025 for attacks on Taiwan web infrastructure — and has been targeting strategic sectors in East Asia since March 2022
- TinyRCT can run arbitrary commands, enumerate and exfiltrate files, capture screens, and self-delete from compromised hosts; it beacons to C2 server 45.32.113[.]172 over HTTP using AES-128 CBC encryption on a default 10-second interval
- In a September 2025 campaign, the actor infiltrated a Southeast Asian government entity, deployed a web shell to exfiltrate MS SQL server data, and simultaneously conducted network reconnaissance on a second government entity in the same country to scout lateral movement
- Unit 42 detected breaches of at least 10 different organizations in Southeast Asia between October and December 2025, with the actor disguising payloads as VMware executables or an XDR agent — filenames like "XDRAgent.exe," "vmtools.exe," and "vmwared.exe"
- TinyRCT is delivered via a malicious "chrome_setup.zip" archive that uses AppDomainManager injection through a rogue DLL ("MyAppDomainManager.dll") to load a downloader, which then fetches the backdoor from a second-stage server
Why it matters: For at least 10 Southeast Asian organizations compromised between October and December 2025 — including government entities and state-owned energy firms — the attackers exfiltrated entire directories of web server source code, putting internal infrastructure details in the hands of a Chinese-speaking APT with ties to a group already targeting Taiwan. The actor's ability to deploy a bespoke .NET backdoor alongside common open-source tools and to disguise payloads as legitimate security and virtualization binaries shows a deliberate, well-resourced espionage operation aimed at regional critical infrastructure.


