Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

TinyRCT backdoor with persistence, exfiltration, and self-deletion

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The TinyRCT backdoor appeared in a 2025 intrusion operation, adding stealthy persistent access and control to the attackers' toolkit. It also supports command execution, file exfiltration, and screenshot capture, expanding post-compromise reach. A built-in self-destruct feature can wipe traces from infected systems and complicate response.

Related Happenings

CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT

Campaign
H score32 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

How related: A sustained campaign by a China-linked threat actor targeting government entities and critical infrastructure in Southeast Asia has been uncovered by researchers at Palo Alto Networks’ Unit 42.

About this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, creating sustained compromise risk f...

Open Happening

AppleChris, MemFun, and Getpass malware activity with persistent C2 and credential theft

Malware Activity
H score26 First: 13.03.2026 19:33 Last: 13.03.2026 19:33 Sources 1

About this happening: The intrusion used **AppleChris**, **MemFun**, and **Getpass** to keep access on compromised **Windows** endpoints and steal credentials. The backdoors supported **persistence**,...

Open Happening

Remcos RAT variant with real-time surveillance and evasion

Malware Activity
H score28 First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

About this happening: A newly observed **Remcos RAT** variant now enables **real-time surveillance** on compromised **Windows** systems, increasing the risk of immediate **webcam monitoring** and **liv...

Open Happening

SSHStalker IRC-controlled Linux botnet

Malware Activity
H score23 First: 11.02.2026 11:56 Last: 11.02.2026 11:56 Sources 1

About this happening: Researchers disclosed **SSHStalker**, a **Linux botnet** that uses **IRC C2** and automated **SSH scanning** to compromise exposed systems, increasing the risk of persistent contr...

Open Happening

NANOREMOTE Windows backdoor with Google Drive API C2

Malware Activity
H score22 First: 11.12.2025 15:16 Last: 11.12.2025 15:16 Sources 1

About this happening: **NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...

Open Happening

Timeline

  1. 25.06.2026 03:00 2 articles · 1d ago

    CL-STA-1062 uses TinyRCT in Southeast Asia campaign

    Technical Analysis Update

    CL-STA-1062 used TinyRCT for the first time in a 2025 campaign targeting state-owned enterprises and other critical infrastructure in Southeast Asia, adding a previously undocumented backdoor that provides persistent access, arbitrary command execution, file enumeration and exfiltration, screenshot capture, and a self-destruct mechanism.

    Show sources
    Open in new tab