Do Son 
At a glance
- Actor or Group: CL-STA-1062 (suspected Chinese-speaking actors)
- Activity Type: Cyber espionage and network infiltration
- Targets or Victims: Southeast Asian critical energy infrastructure and government entities
- Scale: At least ten organizations compromised
- Jurisdiction: Southeast Asia (no official charges filed)
- Source: Palo Alto Networks Unit 42
Hackers compromised at least ten organizations in Southeast Asia during late 2025. The attackers used new custom malware to breach energy and government networks. These TinyRCT backdoor attacks represent a major escalation in regional cyber threats. Security researchers linked this activity to a known threat group.
TL;DR
Suspected Chinese-speaking hackers targeted Southeast Asian critical infrastructure throughout 2025. They deployed a previously unknown tool called TinyRCT to steal data. Organizations must monitor their networks closely to prevent further breaches.
What Happened
The cyber espionage campaign began with attackers exploiting web applications. They placed web shells on vulnerable servers. These initial entry points allowed them to run commands. The attackers then performed reconnaissance on the infected networks.
They sent system details to external IP addresses. Following this, the attackers deployed open-source tunneling tools. They used SoftEther VPN and VNT to move laterally. They often disguised these tools as legitimate system files. For example, they hid malware as VMware executables.
Recently, the intruders introduced a new weapon. They infected systems with a C-sharp remote access trojan. This malware is called TinyRCT. It allows the operators to execute arbitrary commands. The malware can also capture screenshots and exfiltrate files. The infection process uses AppDomainManager Injection. The attackers hide the malicious loader inside a fake Google Chrome setup archive.
Once inside, TinyRCT establishes a secure connection to a remote server. It encrypts all traffic using hard-coded keys. The tool also includes a self-destruct mechanism. This routine removes forensic evidence from the infected host.
Who Is Behind It
Security experts assess with high confidence that a group tracked as CL-STA-1062 operates this campaign. Researchers believe this group consists of Chinese-speaking actors. They have remained active since at least March 2022.
Analysts link this cluster to a group known as UAT-7237. That group previously attacked web hosting providers in Taiwan. According to a detailed threat report from Palo Alto Networks, the attackers use a hybrid toolkit. They mix common open-source utilities with custom malware.
The report notes: “Our discovery of the TinyRCT backdoor in the attackers’ infrastructure underscores their ability to customize tools to gain specific capabilities.” The attackers adapted their tactics quickly. They changed their approach based on the specific target environment.
Impact or Scale
The scale of these TinyRCT backdoor attacks is significant. Between October and December 2025, the attackers breached at least ten different organizations. The victims are located across Southeast Asia.
The intruders heavily targeted state-owned critical energy infrastructure. In one instance, they compromised two energy entities in the same country. The attackers also infiltrated government networks. They stole database information and complete web server source code directories.
This CL-STA-1062 cyber espionage activity exposes highly sensitive national data. The attackers maintained access for several months. They moved stealthily across the compromised environments. The financial damages remain undisclosed. However, the operational impact on these state-owned enterprises is severe.
What Comes Next
The CL-STA-1062 activity will likely continue to threaten the Asia-Pacific region. The attackers clearly focus on strategic targets. Energy and government sectors remain at high risk.
Organizations must strengthen their defenses immediately. Security teams should implement strict behavioral monitoring. They must restrict the execution of untrusted binaries. The TinyRCT malware stops running if it detects a sandbox environment. Defenders can use this trait to flag suspicious processes.
Administrators should monitor their networks for unusual scheduled tasks. The attackers rely on a task named GoogleUpdater for persistence. Finding this task might indicate a breach.
Furthermore, companies must patch vulnerable web applications quickly. The attackers use these flaws as their primary entry method. Regular security audits can help close these gaps. Organizations should stay vigilant against this growing threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
