There are cyberattacks that make headlines because they’re loud ransomware that shuts down hospitals, data dumps that surface on dark web forums overnight. And then there are the ones that security researchers lose sleep over: the quiet, methodical, years-long infiltrations that leave almost no trace until it’s far too late. The campaign now attributed to a threat cluster called CL-STA-1062 falls squarely into the second category.
Researchers at Palo Alto Networks’ threat intelligence division, Unit 42, have published findings that detail a sustained offensive operation targeting government ministries and critical energy infrastructure across Southeast Asia one that has been running, largely undetected, since at least March 2022. The attackers behind it are Chinese-speaking, technically disciplined, and apparently patient enough to spend months inside a compromised network before making their move.
At the center of their latest toolkit is something Unit 42 had never seen before: a bespoke backdoor called TinyRCT.
Three Years in the Shadows
The story of CL-STA-1062 doesn’t start in 2025. According to Unit 42’s telemetry, this group has been conducting operations across East Asia since 2022 a timeline that puts their activity well before most organizations in the region even began taking nation-state cyber threats seriously.
The group, which Unit 42 also connects with high confidence to a cluster tracked by Cisco Talos as UAT-7237, previously made headlines for campaigns against web hosting infrastructure in Taiwan in mid-2025. But Taiwan, it turns out, was just one theater in a much wider operation.
By September 2025, the group had pivoted hard toward Southeast Asian government and energy targets. Researchers discovered that the attackers had successfully compromised a Southeast Asian government entity, deploying web shells – those hidden, server-side scripts that act like a skeleton key for an attacker – and quietly siphoning database records from an MSSQL server. From there, they didn’t stop. They used their foothold inside one government network to conduct reconnaissance on a separate government entity in the same country, probing for lateral movement opportunities with the kind of patience that comes from knowing no one is watching.
In one particularly striking discovery, the attackers staged and exfiltrated an entire directory of web server source code. That’s not just intelligence theft that’s map-making. With the source code of a government web platform in hand, an attacker can study every vulnerability, every authentication bypass, every weakness before returning for a second, more devastating strike.
Between October and December 2025 alone, Unit 42 identified the likely compromise of at least ten separate organizations across the region.
Energy Infrastructure in the Crosshairs
The escalation that most concerns analysts is the group’s laser focus on critical energy infrastructure (CEI) a phrase that, in plain terms, means the systems that keep the lights on, the refineries running, and the national grids stable.
Since mid-2025, CL-STA-1062 had been hammering at state-owned energy entities in the region. Researchers found that two state-owned critical energy infrastructure organizations in the same Southeast Asian country had been compromised in consecutive operations. The attackers scanned for vulnerabilities, established outbound connections to attacker-controlled servers, and delivered payloads that included SoftEther VPN components and RAR archives packed with their toolset all disguised, in classic espionage tradecraft, as legitimate system files like VMware executables and XDR agents.
The completeness of the attack lifecycle observed in at least one compromised energy network is what stands out. This wasn’t a smash-and-grab. Researchers documented activity covering every phase from initial access, through lateral movement and privilege escalation, all the way to data exfiltration. The attackers knew the environment. They moved through it deliberately.
Meet TinyRCT: The Backdoor They Built Themselves
Most threat actors – even sophisticated ones – rely heavily on publicly available tools. It’s cheaper, faster, and harder to attribute. CL-STA-1062 is no different: their standard toolkit includes open-source staples like SoftEther VPN, Mimikatz (the password-extraction tool beloved by attackers everywhere), and VNT.
But sometime recently, they built something new.
Unit 42 discovered a suspicious executable named PerfWatson2.exe – a name deliberately chosen to mimic a legitimate Microsoft Visual Studio telemetry component – hosted on attacker infrastructure at 139.180.134[.]221. When researchers analyzed the binary, they found a previously undocumented .NET backdoor written in C#. The authors call it TinyRCT.
The name is modest. The capabilities are not.
TinyRCT can execute arbitrary commands on the infected machine, enumerate and exfiltrate files, capture screenshots of the active screen, and – critically – destroy itself on command, leaving minimal forensic evidence behind. It’s a surveillance and remote management platform, built lean and built quietly.
How It Gets In
The infection chain begins with something deceptively mundane: a zip file named chrome_setup.zip. Inside are three files — a legitimate, signed Chrome setup executable, a malicious configuration file, and a malicious DLL named MyAppDomainManager.dll.
The technique being exploited here is called AppDomainManager Injection – a method that exploits the trust relationship between a .NET application and its configuration file. When the victim runs what they believe is a legitimate Chrome installer, the .NET runtime reads the adjacent configuration file and silently loads the malicious DLL within the context of a trusted process. The malware runs. The victim sees nothing unusual.
But before executing anything, the malware is careful. It checks whether it’s running from the user’s Downloads directory. If it detects it’s been moved – to a sandbox, to an analyst’s desktop – it terminates immediately. The same anti-analysis behavior is baked into TinyRCT itself, which verifies it’s running from %LOCALAPPDATA% before proceeding.
This isn’t amateur code. These are the checks of a development team that has learned from mistakes and studied how defenders work.
The Persistence Play
Once the malware is satisfied with its environment, it downloads TinyRCT to the %LOCALAPPDATA% directory and creates a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 another name designed to blend into the noise of legitimate Windows processes. The task runs with the highest available privileges every time the user logs on, surviving reboots and staying invisible to anyone who isn’t looking specifically for it.
Command and Control
TinyRCT communicates with its C2 server at 45.32.113[.]172 using standard HTTP encrypted with AES-128 in CBC mode, with a hardcoded key (ThisIsASecretKey87654321) and a null initialization vector baked directly into the binary. Every 10 seconds, it beacons home for instructions. Commands come back encrypted. Data goes out the same way, with files compressed via gzip and sent to the C2 in 40 KB chunks.
Among the most telling technical details uncovered by Unit 42: a line of code inside TinyRCT’s C2 response parsing function is written in Simplified Chinese a small but significant fingerprint in attribution.
The Self-Destruct
When the attacker decides the operation is over – or when they fear discovery – they send the self-destruct command. TinyRCT deletes the GoogleUpdater scheduled task, then uses a batch command technique involving choice.exe to create a three-second delay, ensuring the malware process has fully terminated before deleting its own executable. Clean. Methodical. Practiced.
Why This Campaign Is Different
Nation-state espionage against government entities is not new. Neither is targeting energy infrastructure. What makes CL-STA-1062 notable is the combination of factors at play simultaneously.
First, the longevity. Three-plus years of operations across multiple countries and sectors is not opportunistic hacking. This is a structured intelligence-gathering program with defined strategic objectives.
Second, the adaptability. The group blends commodity tools with custom malware, adjusting to each target environment. They masquerade tools as VMware executables in one environment, as Chrome installers in another. They use traceroute to map lateral movement paths. They’re learning as they go.
Third, the targeting logic. Energy infrastructure. Government ministries. State-owned enterprises. These are not financially motivated targets. The data being stolen – database records, web server source code, network topology information – is the kind of intelligence that informs geopolitical strategy, not ransomware payments.
What Security Teams Should Do Right Now
For defenders – particularly in Southeast Asia, but relevant globally – the Unit 42 findings translate into a clear and urgent set of actions.
1. Hunt for the indicators. The C2 IP addresses (139.180.134[.]221 and 45.32.113[.]172) and the file name PerfWatson2.exe should be immediately searched across all endpoint logs and network traffic. If they appear, treat it as a confirmed incident.
2. Audit scheduled tasks. The GoogleUpdaterTaskSystem140.0.7272.0 scheduled task is a specific, searchable artifact. Run a sweep across all Windows endpoints in your environment. Any match requires immediate investigation.
3. Monitor %LOCALAPPDATA% for suspicious executables. TinyRCT specifically targets this directory. File integrity monitoring on this path – particularly for executables with names mimicking legitimate Microsoft tools – will catch similar infections.
4. Restrict ASPX web shell deployment. CL-STA-1062 consistently uses web shells as their entry point. Implement web application firewalls, file integrity monitoring on web directories, and alert on any new ASPX file creation on internet-facing servers.
5. Harden your .NET application trust model. AppDomainManager Injection exploits a legitimate .NET feature. Review your application allowlisting policies and restrict which DLLs can be loaded by .NET applications, particularly those running from user-writable directories.
6. Block or monitor SoftEther VPN and VNT. These tools have legitimate uses but are actively weaponized by this group. If they’re not authorized in your environment, block them. If they are, add behavioral monitoring around their execution.
7. Enforce execution restrictions from Downloads and Temp directories. Malware like TinyRCT and its loader specifically targets execution from Downloads. Blocking or alerting on executable launches from %USERPROFILE%\Downloads and %TEMP% eliminates a significant portion of this attack chain.
8. Segment your OT and IT networks. Energy sector organizations specifically: the presence of SoftEther VPN in this campaign — a tool capable of tunneling across network boundaries — underlines the importance of strict segmentation between operational technology and corporate IT environments. A compromised HR workstation should never be able to reach SCADA systems.
9. Invest in threat hunting and security awareness training. The initial infection vector here is a fake Chrome installer — a social engineering lure that proper security awareness training directly addresses. The best technical defenses in the world are undermined by a single click on a plausible-looking file.
10. Deploy behavioral EDR with prevent mode enabled. Unit 42’s own research demonstrates that Cortex XDR in prevent mode blocked TinyRCT’s execution attempt outright. Endpoint detection and response tools configured for active prevention – not just detection – are the last line of defense when every other control has failed. Ensure your endpoint security solutions are tuned to block, not merely alert.
The Bigger Picture
The Unit 42 findings land at a moment when the security of critical infrastructure has never been more politically charged. Governments across Southeast Asia are accelerating digital transformation programs, connecting more of their energy, water, and financial infrastructure to networks that weren’t designed with sophisticated nation-state adversaries in mind.
CL-STA-1062 is exploiting exactly that gap — and they’ve been doing it, quietly and persistently, for three years.
The discovery of TinyRCT is a reminder that even when threat actors rely heavily on commodity tools, the most dangerous moments come when they invest in building something new. Custom malware, by definition, has no prior detection signature. It arrives without warning, checks its surroundings, and gets to work.
The good news – and there is some – is that campaigns of this sophistication leave traces. Scheduled tasks with oddly specific names. Executables masquerading as Microsoft telemetry tools. HTTP beacons on 10-second timers. The evidence is there. The question is always whether defenders are looking closely enough, and fast enough, to find it first.
According to research published by Unit 42, Palo Alto Networks’ threat intelligence arm, the full technical indicators of compromise – including hashes, IP addresses, and YARA rules – are available in the original research disclosure for security teams to operationalize immediately.
