Chinese APT CL-STA-1062 Deploys TinyRCT Backdoor Against Southeast Asian Targets

The Chinese-speaking threat group CL-STA-1062 has been actively deploying a new .NET backdoor named TinyRCT against government and critical energy infrastructure in Southeast Asia throughout 2025. This campaign utilizes a combination of open-source tools and custom malware, including SoftEther VPN for tunneling and Mimikatz for credential harvesting. The TinyRCT backdoor, disguised as PerfWatson2.exe, employs strict execution checks to evade detection and establishes a persistent, encrypted communication channel with its command-and-control server. The group has been linked to ongoing operations since March 2022 and has targeted state-owned enterprises, leading to significant data exfiltration. Observed activities include database breaches and prolonged access to critical energy organizations. The malware's stealthy infection chain involves a socially engineered dropper that leverages trusted processes for execution.

Key Points: • CL-STA-1062 has targeted Southeast Asian government and energy sectors with TinyRCT backdoor. • The malware employs advanced evasion techniques, including strict execution checks and trusted process injection. • Persistent operations since March 2022 indicate a long-term focus on regional critical infrastructure.