A China-linked cyberthreat group, CL-STA-1062, has moved from attacking Web-hosting infrastructure in Taiwan to successfully targeting critical-infrastructure providers in Southeast Asia over the past year, cybersecurity researchers say.

The group has successfully targeted electricity and water providers in multiple countries as well as several government and military organizations across the region, deploying a new backdoor tool dubbed TinyRCT, researchers with cybersecurity firm Palo Alto Networks said in a report published last week. Overall, Palo Alto Networks has investigated more than 10 attacks by the group targeting Southeast Asian organizations, the company stated in its June 25 analysis.

The group has used lateral movement to target multiple government agencies or linked organizations in the same country, says Yoni Allon, senior vice president of software engineering at Palo Alto Networks.

Related:Local Police Collusion Hampers Crackdown on Asian Scam Centers

“The main reason that we consider that the group poses a higher threat than other similar Chinese APT groups is that they are successfully compromising critical infrastructure providers,” he says. “In one case, we saw them conducting vulnerability scanning against a water utility in the same country, but we were unable to determine whether they were successful in compromising this victim.”

China has escalated cyberattacks in the Southeast Asian region over the past decade. Researchers previously detected cyber-espionage operations in military and government networks in the region that linked to activity stretching back to 2020. Over the same time, China shifted from pure espionage activity to a long-term plan of pre-positioned compromises, preparing for future possible conflicts, as seen in the operations connected to Volt Typhoon.

The latest operations come from a Chinese-language group that Palo Alto Network’s Unit 42 researchers call CL-STA-1062. The group is very likely the same as a previous group detected by Cisco Talos researchers known as UAT-7237, which had targeted Taiwanese targets. Palo Alto Networks did not name the countries impacted by CL-STA-1062’s attacks, but said they had high confidence the two groups were the same actor.

Cisco declined to be interviewed for this article.

TinyRCT: A First Look

A significant change, however, is that CL-STA-1062 now deploys a novel backdoor tool, known as TinyRCT. The researchers first detected the implant in 2025, describing it as small and stealthy with anti-analysis features, including a self-destruct mechanism that aims to delete forensic evidence. The backdoor is designed to aid in spying on the system’s users and allowing remote management and  command execution via the shell, configuration updates, and a variety of system fingerprinting and data exfiltration.

Related:China Uses Dual-Method Cyberattack on Czech Orgs

“After a thorough analysis of the tool, we concluded that it’s not a branch of any known tool, nor does it have significant code similarities with any other tools used by the Chinese APT nexus,” says Allon, adding that it’s “designed to evade sandboxes and other analysis tools by implementing an array of anti-analysis maneuvers, [and] the operators can send a self-destruction command if there’s a sign of detection or active investigation.”

TinyRCT is a lightweight C# remote-access Trojan (RAT) that runs arbitrary commands, with a comment in the C2-parsing code written in simplified Chinese. The backdoor and other components use file names similar to common system components to escape notice. TinyRCT masquerades as PerfWatson2.exe — a real Visual Studio telemetry component, while another tool used in the attacks — SoftEther VPN — uses binaries renamed to resemble VMware executables or an extended detection and response (XDR) agent.

Espionage Group or Initial Access Broker

Whether the threat group is a cog in an espionage machine or a group that executes an end-to-end operation is unclear, PAN’s Unit 42 researchers say. One victim had been under attack for many months, and the attack chains spanned initial access to exfiltration, and pivoted from one government entity toward another in the same country. Yet, in other cases, the CL-STA-1062 group stopped after gaining access and fingerprinting the local environment, Allon says.

Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks

“We did not observe the exfiltration of any electricity-related data or any malware related to electricity systems or operational technologies more broadly,” he says. “This contributed to our low confidence assessment that CL-STA-1062 may be an initial access broker, establishing a foothold in these victims to then be passed on to another group.”

So far this year, the Palo Alto Networks’ researchers have observed continued operations, and in one case, additional tools were deployed against a critical infrastructure victim to aid in persistence, Allon says. Overall, however, the level of activity has dropped, he says.

“We have not observed the same volume of new compromises that we saw in late 2025,” he says. While the lack of observable activity could indicate that the group has reduced its level of operations, it could also mean they have improved their ability to remain undetected.

Allon adds, “This could be due to improvements in the group’s ability to hide their activity.”





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *