Chinese Threat Group CL-STA-1062 Deploys TinyRCT Backdoor in Southeast Asia

The Chinese-speaking threat cluster CL-STA-1062 has been actively deploying a .NET backdoor named TinyRCT against government and critical energy infrastructure in Southeast Asia throughout 2025. The group has targeted state-owned enterprises, utilizing a combination of open-source tools and custom malware. Key tools include SoftEther VPN for tunneling and VNT and yuze for command-and-control operations. The campaign has been ongoing since at least March 2022, indicating a long-term strategy against critical sectors. The impact is significant, with multiple government agencies and energy sectors affected. The use of bespoke malware alongside publicly available utilities highlights the group's sophisticated approach. Current status indicates continued activity with no immediate resolution in sight.

Key Points: • CL-STA-1062 has deployed the TinyRCT backdoor against Southeast Asian government entities. • The threat group combines open-source tools with custom malware for its operations. • The campaign has been active since at least March 2022, targeting critical infrastructure.