Security researchers at Palo Alto Networks Unit 42 have identified a new cyber espionage campaign involving a previously undocumented backdoor known as TinyRCT, deployed by a Chinese-speaking advanced persistent threat (APT) cluster tracked as CL-STA-1062. The activity primarily targets government agencies, state-owned enterprises, and critical infrastructure sectors across Southeast Asia, with overlaps observed in earlier campaigns linked to the UAT-7237 group.
The threat actor employs a hybrid toolkit that combines widely available open-source utilities—such as SoftEther VPN, Mimikatz, and VNT—with custom malware designed for long-term persistence and stealth. TinyRCT represents the group’s latest bespoke implant, a lightweight remote access trojan capable of executing system commands, exfiltrating files, capturing screenshots, enumerating directories, and erasing traces of its activity from compromised systems.
According to researchers, the campaign typically begins with web shell deployments that enable reconnaissance and lateral movement within targeted networks. Attackers have been observed exfiltrating database content from MS SQL servers and harvesting entire directories of government web infrastructure source code. In multiple incidents between late 2025 and early 2026, at least ten organizations across the region were reportedly affected.
The malware is delivered through malicious ZIP archives disguised as legitimate software installers, such as “chrome_setup.zip,” which contain a real executable alongside a malicious DLL used for AppDomainManager injection. This technique allows the backdoor to be silently loaded during execution, which then retrieves its main payload from remote infrastructure and establishes encrypted command-and-control communication using AES-128 encryption.
TinyRCT operates on a beaconing model, periodically contacting attacker-controlled servers every few seconds to receive commands and exfiltrate data via HTTP requests. Researchers note that the use of both commodity tools and custom implants reflects a pragmatic but increasingly sophisticated approach, enabling the threat actor to maintain access while minimizing detection across sensitive government and infrastructure environments.
