A sustained campaign by a China-linked threat actor targeting government entities and critical infrastructure in Southeast Asia has been uncovered by researchers at Palo Alto Networks’ Unit 42.
The group, tracked as CL-STA-1062 by Unit 42 researchers, has been active since at least March 2022.
This new campaign, observed throughout 2025, specifically targeted state-owned enterprises in the energy and government sectors across Southeast Asia.
This focus on critical infrastructure indicates “a clear strategic interest in disrupting or monitoring key regional industries” and suggests “a deliberate effort to compromise systems that could have significant geopolitical or economic impacts,” said the Unit 42 report, published on June 25.
CL-STA-1062 Introduced the TinyRCT Backdoor
In this campaign, CL-STA-1062 employed a hybrid toolkit that combines common open-source tools with custom-developed malware. Among the open-source tools frequently utilized are SoftEther VPN for secure communications, Mimikatz for credential harvesting, and VNT for network traversal.
Additionally, the threat group used TinyRCT for the first time, a previously undocumented backdoor designed to provide persistent access and control over compromised systems.
TinyRCT’s capabilities include arbitrary command execution, allowing attackers to run any command on the infected system.
It also enables file enumeration and exfiltration, giving threat actors the ability to identify and steal sensitive documents or intellectual property.
Additionally, TinyRCT can capture screenshots of the victim’s desktop, providing visual insight into the user’s activities.
Perhaps most concerning is the backdoor’s self-destruct mechanism, which allows attackers to wipe evidence of their presence from the compromised system, complicating forensic analysis and incident response efforts.
The backdoor is designed to operate stealthily, avoiding detection by blending in with normal system activity. It communicates with command-and-control (C2) servers to receive instructions and exfiltrate data, employing encryption to obfuscate its communications. The self-destruct feature is triggered by a specific command from the C2 server, ensuring that the backdoor can be removed from compromised systems once its purpose has been served or if the operation is compromised.
“TinyRCT is particularly concerning due to its stealthy design and self-destruct mechanism,” explained Unit 42 researchers. “This backdoor allows attackers to maintain persistence while avoiding detection and it can erase itself when necessary to cover their tracks.”
Researchers Suspect a Chinese State-Backed Campaign
The researchers further highlighted that the use of a custom backdoor like TinyRCT indicates a high level of sophistication and resourcefulness on the part of the threat actor, suggesting state-sponsored involvement or significant financial backing.
They identified that three critical infrastructure entities in an unnamed Southeast Asian country, including two state-owned energy organizations, had been under attack with similar tactics as those used by CL-STA-1062.
“Between October and December 2025, we observed the likely compromise of at least ten different organizations in Southeast Asia,” the researchers added.
They further assessed “with high confidence” that this activity cluster is the same group tracked by Cisco Talos as UAT-7237, which was reported for campaigns targeting web hosting infrastructure in Taiwan in mid-2025.
The broader operational tempo across East Asia since 2022 suggests a sustained and deliberate regional focus by the threat actor.
“This campaign serves as a stark reminder of the persistent and evolving threat posed by sophisticated adversaries,” noted the Unit 42 researchers.
“Organizations must remain vigilant and proactive in their security posture to defend against such targeted attacks.”
