Cybersecurity researchers at **Palo Alto Networks Unit 42** have attributed these campaigns to **CL-STA-1062**, a threat actor showing overlaps with **UAT-7237**, a group previously flagged by **Cisco Talos** for targeting web infrastructure in Taiwan. ### A Hybrid Toolkit for Persistent Infiltration **CL-STA-1062** employs a hybrid toolkit, blending common open-source tools with bespoke malware. **Unit 42** highlights the frequent use of tools like **SoftEther VPN**, **Mimikatz**, and **VNT**, now augmented by the newly discovered **TinyRCT** backdoor. **TinyRCT** is a potent custom backdoor designed for a range of malicious activities, including executing arbitrary commands, enumerating and exfiltrating files, capturing device screens, and self-deletion to erase its tracks. ### Targeting Government and Energy Sectors In a September 2025 campaign, the APT successfully infiltrated a Southeast Asian government entity, deploying a web shell to exfiltrate data from an **MS SQL** server. During the same incident, the attackers conducted network reconnaissance on a separate government entity within the same country, suggesting efforts to identify lateral movement opportunities and expand their access. **Unit 42** observed the exfiltration of an entire directory of web server source code from a government entity and detected breaches in at least 10 different organizations in Southeast Asia between October and December 2025. ### Critical Infrastructure Under Siege Since mid-2025, **CL-STA-1062** has focused on critical infrastructure, scanning multiple regional entities for vulnerabilities. They establish initial footholds via **ASPX** web shells, facilitating reconnaissance and outbound requests to attacker-controlled infrastructure, which then leads to the deployment of additional payloads.  These payloads include **SoftEther VPN** components and **RAR** archives containing the group's toolset, such as **Yuze** (a **SOCKS5** proxy) and **VNT** (a **VPN**). These tools are often disguised as legitimate executables like **VMware** or XDR agents (e.g., "XDRAgent.exe," "vmtools.exe," and "vmwared.exe"). ### TinyRCT: A Closer Look Further analysis revealed **TinyRCT** (initially named "PerfWatson2.exe") as a previously undocumented **.NET** backdoor. This lightweight Remote Access Trojan (RAT) is capable of system reconnaissance, command execution, file uploads, screenshot capture, remote control, and self-wiping, all while attempting to evade sandboxed environments. **TinyRCT** establishes a persistent communication channel with a remote server (45.32.113[.]172) over **HTTP**, encrypting exchanged data using **AES-128** in **CBC** mode. It operates on a beaconing model, polling the **C2** server for instructions via **GET** requests and exfiltrating data via **POST** requests, with a default 10-second sleep interval. ### Delivery Mechanism **TinyRCT** is typically delivered via a malicious archive named "chrome_setup.zip." This archive contains a legitimate executable ("chrome_setup.exe"), a configuration file ("chrome_setup.exe.config"), and a rogue **DLL** ("MyAppDomainManager.dll"). This **DLL** triggers an **AppDomainManager injection** attack (**MITRE ATT&CK T1574.014**) to load itself, functioning as a downloader that contacts 139.180.134[.]221 to retrieve "PerfWatson2.exe." **Unit 42** concludes that the observed tool combination reflects a pragmatic approach by **CL-STA-1062** to tool selection and attack capabilities. The discovery of **TinyRCT** underscores their ability to customize tools for specific functionalities. Given their targeting of critical infrastructure and development of custom malware, **CL-STA-1062** is expected to remain a significant threat to the region.