A Chinese-speaking hacking group has rolled out a brand-new custom backdoor called TinyRCT, and it’s being used to hit government entities and critical infrastructure across Southeast Asia.
Palo Alto Networks’ Unit 42 is tracking the threat actor as CL-STA-1062, which shares overlaps with a group Cisco Talos spotted back in August 2025 targeting web infrastructure in Taiwan. This crew has been active since at least March 2022, going after energy and government sectors in East Asia.
TinyRCT is a .NET backdoor — lightweight but nasty. It can run arbitrary commands, enumerate and exfiltrate files, capture screenshots, and delete itself to cover its tracks. It phones home to a command-and-control server over HTTP, encrypting communications with AES-128 in CBC mode.
The attackers typically get in through ASPX web shells, then use open-source tools like SoftEther VPN, Mimikatz, and a SOCKS5 proxy called Yuze to move around the network. They disguise their tools as VMware executables to avoid detection.
Unit 42 says it’s detected breaches of at least 10 different organizations in Southeast Asia between October and December 2025. That’s a wide net.
