Mastodon Mastodon Mastodon Mastodon

Unit 42 Links TinyRCT Backdoor to CL-STA-1062 Asian Government Attacks

Photo of author

CyberSecureFox Editorial Team

Published:

Researchers at Palo Alto Networks Unit 42 have linked a cluster of intrusions tracked as CL-STA-1062 to a previously undocumented backdoor named TinyRCT. According to the report, the group, believed to be Chinese-speaking, is attacking government agencies, state-owned enterprises in the energy sector, and critical infrastructure in Southeast Asia. From October to December 2025, at least 10 organizations in the region were reportedly compromised. Government and energy-sector organizations in Southeast Asia are advised to check their systems for the published indicators of compromise and to strengthen monitoring of their web servers.

Group profile and campaign timeline

According to Unit 42, activity by CL-STA-1062 has been observed at least since March 2022, with early operations targeting strategic sectors in East Asia. Since mid-2025, the focus has shifted to critical infrastructure in Southeast Asia. In September 2025, the group reportedly breached a government agency in one of the countries in the region, deployed a web shell, and exfiltrated data from an MS SQL server. At the same time, it conducted network reconnaissance against another government agency in the same country, indicating preparation for lateral movement. In one case, the attackers, according to the researchers, extracted an entire directory containing the web server’s source code.

It is important to note: the attribution and the reported scale of the campaign are based on a single research report and have not been confirmed by independent sources or affected organizations.

Technical analysis of TinyRCT

TinyRCT is a lightweight remote access trojan written on the .NET platform and distributed under the filename PerfWatson2.exe. Based on Unit 42’s analysis, the backdoor has the following capabilities:

  • Execution of arbitrary commands on a compromised host
  • Enumeration and exfiltration of files
  • Screenshot capture
  • Remote system control
  • Self-deletion to cover its tracks
  • Detection and evasion of sandboxes

Network communication

TinyRCT establishes a persistent communication channel with the command server over the HTTP protocol, using a periodic beaconing model with a default interval of 10 seconds. GET requests are used to receive instructions, and POST requests are used to send stolen data. The traffic is encrypted using the AES-128 algorithm in CBC mode.

Delivery chain

TinyRCT is delivered via a malicious archive named chrome_setup.zip, which contains three components: a legitimate executable chrome_setup.exe, a configuration file chrome_setup.exe.config, and a malicious library MyAppDomainManager.dll. The latter launches an AppDomainManager Injection attack (MITRE ATT&CK T1574.014) — a technique that substitutes the .NET application domain manager to load malicious code in the context of a legitimate process. The loaded DLL functions as a loader, reaching out to an external server to retrieve the main backdoor.

Toolset and tactics

CL-STA-1062 uses a hybrid toolset that combines publicly available utilities with its own developments. Among the open tools, according to the researchers, are:

  • SoftEther VPN — to create VPN tunnels and enable lateral movement
  • Mimikatz — to extract credentials
  • Yuze — a SOCKS5 proxy utility
  • VNT — a VPN tool

A distinctive feature of the group is disguising its tools as legitimate software. Malicious files are distributed under the names XDRAgent.exe, vmtools.exe, and vmwared.exe, imitating VMware components and extended threat detection agents. Initial access to target systems is obtained via ASPX-format web shells, which are used for initial reconnaissance and to establish outbound connections to the attackers’ infrastructure.

Indicators of compromise

Based on data from the Unit 42 report, the following network indicators have been published:

  • TinyRCT C2 server IP address:45.32.113[.]172
  • Loader server IP address:139.180.134[.]221
  • Filenames:PerfWatson2.exe, chrome_setup.zip, MyAppDomainManager.dll
  • Masquerade names:XDRAgent.exe, vmtools.exe, vmwared.exe

Impact assessment

Government agencies, state-owned energy-sector enterprises, and critical infrastructure operators in Southeast and East Asian countries are at the greatest risk. Exfiltration of web server source code and data from MS SQL databases can lead to compromise of additional systems, leakage of confidential information, and the creation of a foothold for further attacks on related organizations. The combination of targeted attacks on critical infrastructure with the development of bespoke malware indicates a persistent and sustained threat.

Security recommendations

  1. Review network logs for connections to IP addresses 45.32.113.172 and 139.180.134.221, with particular attention to HTTP traffic with a ~10-second periodicity
  2. Search for the files PerfWatson2.exe, MyAppDomainManager.dll and archives named chrome_setup.zip on servers and workstations
  3. Check web servers for unauthorized ASPX files, especially in directories exposed via the web
  4. Identify suspicious processes with the names XDRAgent.exe, vmtools.exe, vmwared.exe that do not correspond to legitimate VMware installations or XDR solutions
  5. Restrict use of AppDomainManager in .NET applications — configure monitoring of the loading of non-standard .config configuration files located next to executables
  6. Tighten control over outbound VPN connections, particularly SoftEther VPN, and over SOCKS5 proxying from the server segment
  7. Audit access to MS SQL servers — check logs for signs of bulk data extraction

The appearance of TinyRCT in the CL-STA-1062 arsenal demonstrates the group’s transition from exclusively using publicly available tools to developing custom malware with encrypted traffic and detection-evasion mechanisms. Organizations in the targeted sectors should prioritize checking their infrastructure against the published indicators of compromise, configure detection of the AppDomainManager Injection technique (T1574.014), and ensure monitoring for anomalous HTTP traffic with TinyRCT’s characteristic pattern of periodic requests.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.