“a clear strategic interest in disrupting or monitoring key regional industries,” Unit 42 researchers wrote, describing a campaign that has quietly targeted Southeast Asian critical infrastructure for years.
Unit 42 traces a China-linked actor, CL-STA-1062
Palo Alto Networks’ Unit 42 published a report on June 25 documenting a sustained campaign by a China-linked threat actor it tracks as CL-STA-1062. According to the report, CL-STA-1062 has been active since at least March 2022 and was observed carrying out operations throughout 2025. Unit 42 linked the group’s activity to attacks on government entities and critical infrastructure across Southeast Asia and described a focused interest in state-owned energy and government sectors.
TinyRCT backdoor: functionality designed for persistence and erasure
A central finding of the report is CL-STA-1062’s first recorded use of a previously undocumented backdoor called TinyRCT. Unit 42 lays out the backdoor’s core capabilities: it allows arbitrary command execution on infected hosts, file enumeration and exfiltration, and the capture of desktop screenshots. Crucially, TinyRCT includes a self-destruct mechanism that can be triggered by a specific command from its command-and-control (C2) server. Unit 42 warned that the combination of stealthy operation, encrypted C2 communications, and a remote-triggerable self-removal routine makes TinyRCT particularly difficult to detect and to analyze forensically.
- Arbitrary command execution — attackers can run commands on the compromised system.
- File enumeration and exfiltration — the backdoor can locate and steal documents and other data.
- Screenshot capture — provides visual insight into user activity on the host.
- Self-destruct mechanism — remote command can remove traces of the backdoor from the system.
- Stealth and encrypted C2 — designed to blend with normal activity and obfuscate communications.
Hybrid toolkit: open-source tools plus custom malware
Unit 42 describes CL-STA-1062’s approach as a hybrid toolkit that mixes well-known open-source tools with custom-developed malware such as TinyRCT. The report specifically names SoftEther VPN for secure communications, Mimikatz for credential harvesting, and VNT for network traversal as part of the group’s frequently used toolkit. The use of common, freely available utilities alongside a bespoke backdoor illustrates a blend of convenience and tailored capability.
Targets: state-owned energy firms, government entities, and web hosting infrastructure
Researchers detailed attacks on three critical infrastructure entities in an unnamed Southeast Asian country, including two state-owned energy organizations, and reported that similar tactics were observed against other regional targets. Unit 42 said that between October and December 2025 it observed the likely compromise of at least ten different organizations in Southeast Asia. The report also assessed “with high confidence” that the CL-STA-1062 cluster is the same actor Cisco Talos tracked as UAT-7237, which was reported for campaigns against web hosting infrastructure in Taiwan in mid-2025.
What this means for state-owned energy organizations, government entities, and security teams
- State-owned energy organizations: the report’s confirmation of attacks against two state-owned energy firms highlights direct operational and intellectual-property risks tied to targeted intrusions and data exfiltration.
- Government entities: targeting of government systems raises risks of monitoring or disruption to public services and increases the need for coordinated incident response across agencies.
- Security teams: defenders face a toolkit that combines easy-to-obtain open-source utilities with a stealthy, self-removing backdoor; detecting activity early and preserving forensic artifacts will be more difficult when the attacker can trigger an automated wipe.
Unit 42 framed the campaign as both persistent and strategic, noting a regional operational tempo since 2022 that appears deliberate. The combination of a bespoke backdoor with encrypted C2, common attacker tooling, and successful compromises of state-owned energy and government targets underscores the dual challenges defenders face: identifying sophisticated, resource-backed adversaries, and protecting systems whose compromise could cause broader geopolitical or economic impacts. The record presented by Unit 42 leaves a pointed operational question: when an attacker can both persistently access and remotely erase their toolset, how will incident responders reliably establish scope and attribution before evidence disappears?
Read the Unit 42 findings at the original report: https://www.infosecurity-magazine.com/news/china-hackers-asian-cni-backdoor/
