TinyRCT backdoor used in CL-STA-1062 Southeast Asia intrusions
Malware Activity
Summary
Hide ▲
Show ▼
The newly documented TinyRCT backdoor gives CL-STA-1062 a custom remote-access payload for government and critical-infrastructure targets in Southeast Asia, expanding the operator’s ability to steal data and control compromised hosts. TinyRCT can run commands, exfiltrate files, capture screenshots, and self-delete after use. It is delivered through a malicious archive and AppDomainManager injection chain that retrieves the payload from attacker infrastructure. The activity is tied to operations that included a September 2025 government intrusion and the compromise of at least 10 organizations between October and December 2025.
Related Happenings
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
How related:
A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia.
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignHow related: A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia.
About this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware Activity
H score22
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware ActivityAbout this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware Activity
H score23
First: 23.04.2026 15:06
Last: 23.04.2026 15:06
Sources 1
About this happening:
The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
GopherWhisper Go-based malware toolkit with Slack, Discord, and Outlook C2
Malware ActivityAbout this happening: The **GopherWhisper** malware set now combines **Go-based backdoors** and **exfiltration tools** that abuse **Slack**, **Discord**, **Microsoft 365 Outlook**, and **Microsoft Grap...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware Activity
H score22
First: 11.12.2025 15:16
Last: 11.12.2025 15:16
Sources 1
About this happening:
**NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware ActivityAbout this happening: **NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
AshTag modular .NET backdoor deployment via sideloading
Malware Activity
H score22
First: 11.12.2025 13:00
Last: 11.12.2025 13:00
Sources 1
About this happening:
The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
AshTag modular .NET backdoor deployment via sideloading
Malware ActivityAbout this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
Timeline
-
26.06.2026 19:21 2 articles · 3h ago
CL-STA-1062 uses TinyRCT backdoor against Southeast Asia targets
Initial DisclosurePalo Alto Networks Unit 42 linked CL-STA-1062 to a new custom backdoor named TinyRCT used in attacks on government entities and critical infrastructure in Southeast Asia, including state-owned enterprises in the energy and government sectors. The malware was described as a .NET remote access trojan delivered through malicious archives and AppDomainManager injection, with capabilities for command execution, file exfiltration, screenshot capture, remote control, and self-deletion. Unit 42 also tied the cluster to prior operations in the region since at least mid-2025 and to the compromise of at least 10 organizations in Southeast Asia between October and December 2025.
Show sources
- Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign — thehackernews.com — 26.06.2026 19:21
- Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign — thehackernews.com — 26.06.2026 19:21