Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks

The article reports that a Chinese-speaking APT group, CL-STA-1062, is using a new custom .NET/C# backdoor called TinyRCT in campaigns against government entities and critical energy infrastructure in Southeast Asia, enabling command execution, system reconnaissance, file exfiltration, screenshot capture, and self-deletion.[1][2][4] These attacks use a hybrid toolkit of open-source utilities (e.g., SoftEther VPN, Mimikatz, VNT) and custom malware, delivered via web shell exploitation and malicious installers, to achieve persistence and stealth within victim environments.[2][4] From a CyberSE.AI perspective, this kind of sophisticated, long-running APT activity increases the risk that AI-enabled systems in government and critical infrastructure environments are targeted for data theft, operational disruption, or covert monitoring, especially where AI agents have access to sensitive systems or logs. Organizations should apply continuous red teaming to AI-powered workflows, and SBOM/supply-chain analysis to detect malicious or trojanized components in toolchains that AI agents may invoke, while ensuring secure AI agent design to prevent these backdoors being leveraged or controlled th