TinyRCT Backdoor: Chinese APT Targets Southeast Asia

Palo Alto Networks Unit 42 detected campaigns between October and December 2025 that targeted at least 10 different organizations in Southeast Asia, which they reported on June 25, 2026. A Chinese-speaking APT group, CL-STA-1062 (also tracked as UAT-7237), deployed a new custom .NET backdoor named TinyRCT against critical infrastructure and government entities. This marks a significant shift for a group previously associated with operations against Taiwan, indicating a sustained focus on long-term access and data exfiltration since March 2022.

What Happened

The CL-STA-1062 campaign, active since at least March 2022 in East Asia, pivoted its primary focus to Southeast Asia from mid-2025 onwards. Their targets are consistently high-value: government entities and critical infrastructure, specifically state-owned enterprises within the energy and government sectors. Attackers often establish initial access through ASPX web shells, exploiting vulnerable public-facing web applications.

Once a foothold is gained, the group delivers TinyRCT, a lightweight custom .NET backdoor (PerfWatson2.exe) written in C# and designed for Windows systems. Its delivery often involves a malicious archive like "chrome_setup.zip," which contains a legitimate executable, a configuration file, and a rogue DLL (MyAppDomainManager.dll) used in an AppDomainManager injection attack. This malicious DLL acts as a downloader, contacting 139.180.134[.]221 to retrieve PerfWatson2.exe.

TinyRCT itself is quite capable, executing arbitrary commands, enumerating and exfiltrating files in 40KB gzip-compressed AES-encrypted chunks, capturing screenshots as JPEG, downloading files from URLs, and performing self-deletion. It communicates with its C2 server, 45.32.113[.]172, over HTTP using AES-128 encryption in CBC mode with a hardcoded key ("ThisIsASecretKey87654321"), polling for instructions via GET requests every 10 seconds. The malware also includes anti-analysis measures, terminating if it’s not running from %LOCALAPPDATA%, and its code contains a simplified Chinese string, strongly hinting at its origin.

Why It Matters

The TinyRCT backdoor campaign by CL-STA-1062 represents a persistent, evolving threat from a sophisticated, state-sponsored actor targeting highly sensitive sectors. The focus on critical infrastructure and government in Southeast Asia poses significant national security and economic risks. This is intelligence gathering aimed at long-term access, not simple data theft.

Palo Alto Networks Unit 42 confirmed breaches of at least 10 organizations between October and December 2025. The group’s consistent use of a hybrid toolkit, including SoftEther VPN, Mimikatz for credential harvesting, and JuicyPotato for privilege escalation, alongside custom malware like TinyRCT, demonstrates a methodical approach to maintaining stealth and persistence. The group claims to have exfiltrated web server source code from a government entity and database information from an MS SQL server; no affected organization has confirmed this. No ransom demands have been reported, supporting the assessment of espionage objectives. This is deep, embedded access, not a hit-and-run.

Affected Scope & Remediation

Organizations exposed to TinyRCT are primarily those in Southeast Asia with public-facing web applications, especially ASPX-based systems, that are vulnerable to exploitation. Government entities and state-owned enterprises in the energy and general government sectors are explicitly targeted. While TinyRCT itself is a Windows-specific backdoor, the initial compromise vector is through web server vulnerabilities.

To mitigate this threat, immediate action is necessary. Prioritize patching all public-facing web applications for known vulnerabilities, paying close attention to ASPX-based servers. Implement strict web application firewalls (WAFs) to detect and block web shell uploads and other common exploitation attempts. You cannot rely solely on perimeter defenses.

Beyond patching, organizations should:

  • Actively hunt for indicators of compromise (IoCs), including the TinyRCT executable (PerfWatson2.exe), the malicious DLL (MyAppDomainManager.dll), and C2 domains/IPs like 45.32.113[.]172 and 139.180.134[.]221.
  • Implement endpoint detection and response (EDR) solutions, such as CrowdStrike Falcon or SentinelOne, configured to detect unusual process execution, particularly from %LOCALAPPDATA%, and anomalous network connections.
  • Monitor all outbound HTTP traffic for connections to suspicious IP addresses and domains.
  • Strengthen authentication mechanisms and enforce multi-factor authentication (MFA) across all systems to counter credential harvesting attempts by tools like Mimikatz.
  • Regularly audit systems for rogue VPN installations (SoftEther VPN) or SOCKS proxies (VNT) disguised as legitimate software.
  • Review logs for evidence of privilege escalation attempts using tools like JuicyPotato.
  • Palo Alto Networks Unit 42 observed the breaches between October and December 2025, publishing the report on June 25, 2026. The group's shift in focus to Southeast Asia became apparent from mid-2025, continuing a campaign active since March 2022. This is a long game, not a quick smash-and-grab.

No specific CVEs were reported as exploited for this campaign; rather, the group exploited vulnerable web applications, meaning ongoing vulnerability management is critical.

Source: paloaltonetworks.com
Source: paloaltonetworks.com

Technical Breakdown

The TinyRCT attack chain typically begins with T1190 (Exploit Public-Facing Application), where CL-STA-1062 gains initial access by exploiting vulnerabilities in web applications, often deploying ASPX web shells. This is their bread and butter for initial compromise.

Following initial access, the group uses a clever technique to deliver TinyRCT. They package a malicious archive, for example, "chrome_setup.zip," containing a legitimate executable, a configuration file, and a rogue DLL, MyAppDomainManager.dll. This DLL then uses an AppDomainManager injection to load TinyRCT. The attackers trick the system into loading their rogue manager (MyAppDomainManager.dll) instead of a trusted one. This rogue manager then has the authority to discreetly download and execute TinyRCT (PerfWatson2.exe) from a remote server like 139.180.134[.]221, a clear instance of T1105 (Ingress Tool Transfer).

Once executed, TinyRCT establishes persistent communication with its C2 server (45.32.113[.]172) using T1071.001 (Application Layer Protocol: Web Protocols) over HTTP. This backdoor is designed for remote command execution, file enumeration, and exfiltration (encrypted with AES-128 and gzip-compressed) and even captures screenshots. Its anti-analysis check, terminating if not run from %LOCALAPPDATA%, is a simple but effective way to frustrate sandboxing attempts.

For privilege escalation, the group frequently uses JuicyPotato, mapping to T1068 (Exploitation for Privilege Escalation). To dump credentials, they deploy Mimikatz, which falls under T1003.001 (OS Credential Dumping: LSASS Memory). Persistence is maintained not just by TinyRCT itself, but by disguising legitimate tools like SoftEther VPN and VNT (a SOCKS5 proxy) as system processes, sometimes via T1053.005 (Scheduled Task/Job: Scheduled Task). Data exfiltration, as observed with web server source code and MS SQL database info, happens over the C2 channel, primarily via T1041 (Exfiltration Over C2 Channel).

From a NIST SP 800-53 perspective, an implementation of SI-2 Flaw Remediation is critical to prevent the initial web application compromises. CM-7 Least Functionality can reduce the attack surface by ensuring only necessary services are running. SC-8 Transmission Confidentiality and Integrity becomes important for detecting unusual encrypted outbound traffic that isn't standard for the environment. Finally, IR-4 Incident Handling is essential for containing and eradicating such a persistent threat once detected.

Historical Context

The TinyRCT campaign represents an evolution of tactics from CL-STA-1062, a group that Cisco Talos tracks as UAT-7237. Prior to their shift to Southeast Asia, UAT-7237 was known for targeting web hosting infrastructure in Taiwan in August 2025.

Similarities across campaigns are notable. Both operations demonstrate a clear focus on long-term persistence in high-value victim environments, particularly VPN and cloud infrastructure. The group consistently exploits known vulnerabilities on unpatched, internet-exposed servers for initial access, uses JuicyPotato for privilege escalation, and employs Mimikatz for credential harvesting. They've also shown a pattern of making Windows Registry changes to disable UAC and enable cleartext password storage in previous campaigns.

However, a key difference lies in their custom toolkit. While the Taiwan operations used open-source tools heavily and a custom shellcode loader named "SoundBill" to deploy Cobalt Strike, the Southeast Asian campaign features the entirely new, bespoke TinyRCT backdoor. This shift indicates the group’s continued investment in developing custom malware to avoid detection, alongside their geographic expansion.

Data at a Glance

Metric Value Source
Victims Reported 10 organizations Palo Alto Networks
Campaign Duration (min) 49 months SecurityWeek
Malware Variants 1 variant The Hacker News
Initial Access Method ASPX web shells Security Affairs
C2 Polling Interval (TinyRCT) 10 seconds Palo Alto Networks
Key metrics chart for TinyRCT Backdoor: Chinese APT Targets Southeast Asia
Key metrics — data from sources cited above

The CVEDaily Take

CL-STA-1062's sustained evolution from SoundBill to TinyRCT against shifting targets like Taiwan and now Southeast Asia's critical sectors underscores the adaptability of state-sponsored actors. The consistent use of web shells for initial access means basic hygiene remains paramount, but their custom tools necessitate advanced threat hunting. We think Palo Alto's report correctly highlights the long-term, espionage-focused nature of this campaign, evidenced by the absence of ransomware and the specific types of data claimed to be exfiltrated. The shift in custom tooling and geographic focus indicates that even organizations with advanced defenses against previous CL-STA-1062 campaigns might still be vulnerable to their new TTPs. Has your organization audited all public-facing web applications for known vulnerabilities and deployed web application firewalls (WAFs) to block web shell uploads in the last quarter?

FAQ

Q1: What is TinyRCT?
A1: TinyRCT is a new, lightweight custom .NET backdoor written in C# by the Chinese-speaking APT group CL-STA-1062 (UAT-7237), designed for command execution, file exfiltration, and reconnaissance on Windows systems, primarily against critical infrastructure.

Q2: Which sectors are targeted by CL-STA-1062 using TinyRCT?
A2: CL-STA-1062 primarily targets government entities and critical infrastructure, specifically state-owned enterprises in the energy and general government sectors across Southeast Asia.

Q3: How does CL-STA-1062 typically gain initial access for TinyRCT deployment?
A3: Initial access is frequently achieved by exploiting vulnerable public-facing web applications, often through ASPX web shells, to establish a foothold before deploying tools like TinyRCT via methods such as AppDomainManager injection.

Related Coverage