CHINESE APT CL-STA-1062 has widened its campaign against Southeast Asian government and critical energy infrastructure, deploying a custom backdoor called TinyRCT alongside existing tools. The activity was first observed in mid-2025 and continues into mid-2026, according to Unit 42 research. Victims include state‑owned electricity generators, transmission operators and ministries responsible for power distribution in Vietnam, Thailand and Malaysia. The group’s focus on these sectors suggests an intent to gather intelligence that could support broader strategic objectives.
The group gains initial foothold through ASPX web shells uploaded to exposed web servers, then uses SoftEther VPN to create covert tunnels and Mimikatz for credential harvesting. The TinyRCT backdoor, written in C++, provides remote command execution, data exfiltration and a self‑destruct routine that wipes traces after use. It can enumerate running processes, harvest clipboard data and upload stolen files to attacker‑controlled domains over encrypted HTTP channels.
No CVEs are associated with the current intrusion set, indicating reliance on legitimate administrative tools and custom malware rather than known vulnerabilities.
After establishing the web shell, attackers run reconnaissance scripts to map internal networks, move laterally with stolen credentials and install TinyRCT as a service or scheduled task for persistence. The malware communicates over encrypted channels to command-and-control servers hosted on compromised domains, allowing operators to issue commands and retrieve files without detection.
Because the backdoor mimics legitimate administrative traffic, traditional signature‑based tools often miss its presence until data exfiltration volumes trigger anomaly alerts. Incident responders have noted that the self‑destruct feature can erase the binary from disk after a predefined timer, complicating forensic analysis.
Analysts describe the campaign as consistent with state‑sponsored espionage, noting the focus on energy ministries and state‑owned utilities across Vietnam, Thailand and Malaysia. The group’s earlier activity targeting Taiwan’s web infrastructure shows a pattern of expanding geographic reach while retaining the same toolkit. Researchers warn that the operation is likely to grow as the actors seek long‑term access to critical networks, potentially enabling sabotage or influence operations in future crises. The campaign underscores the need for defenders to treat legacy web applications as a high‑risk entry point.
Defensive measures: organisations should monitor web server logs for unexpected ASPX file creation and block unauthenticated uploads through web‑application firewalls. Detecting unusual SoftEther VPN connections, especially from internal hosts to external IP addresses, can reveal tunnelling attempts that bypass perimeter controls.
Security teams ought to hunt for TinyRCT indicators such as specific registry keys, file hashes and network signatures shared in the Unit 42 report, and apply application control to prevent execution of unknown binaries from temporary folders. Enabling detailed PowerShell logging and reviewing scheduled‑task creation can also help identify persistence mechanisms.
Additional steps include enforcing multifactor authentication on privileged accounts, restricting privilege‑escalation paths and segmenting critical OT and IT environments to limit lateral movement. Regular phishing awareness training and timely patching of internet‑facing applications reduce the initial infection vector. Sharing indicators with trusted ISACs and participating in threat‑intelligence feeds helps defenders stay ahead of the group’s evolving tactics.
Maintaining offline backups of critical configurations and testing restoration procedures ensures resilience even if attackers manage to establish a foothold.