Ethical Hacking News
A highly sophisticated threat actor has been linked to a new custom malware backdoor called TinyRCT, which is being used in its Southeast Asia campaign. The attackers, known as CL-STA-1062, have demonstrated an ability to customize their tools to gain specific capabilities and are targeting critical infrastructure in the region. This operation highlights the need for organizations to stay informed about emerging threats and maintain robust security controls to detect and prevent such attacks.
The CL-STA-1062 threat actor has deployed a new custom malware backdoor called TinyRCT in its Southeast Asia campaign. The attackers are using a hybrid toolkit that includes common open-source tools and a bespoke backdoor to achieve their objectives. TinyRCT is a lightweight remote access trojan (RTA) with capabilities for system reconnaissance, command execution, file uploads, and more. The malware operates using a beaconing model and establishes a persistent communication channel with a remote server over HTTP. The attackers are leveraging common open-source tools to facilitate lateral movement and customize their malware tools to gain specific capabilities.
Threat actors are continually refining their tactics, techniques, and procedures (TTPs) to evade detection and achieve their objectives. Recently, a sophisticated threat actor known as CL-STA-1062 has made headlines by deploying a new custom malware backdoor called TinyRCT in its Southeast Asia campaign. In this article, we will delve into the details of CL-STA-1062's latest operation, exploring the characteristics of TinyRCT and how it is used to achieve the adversary's goals.
The CL-STA-1062 threat actor has been linked to various cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. According to Palo Alto Networks Unit 42, a hybrid toolkit is being used by the attackers, which includes common open-source tools such as SoftEther VPN, Mimikatz, and VNT, as well as a bespoke backdoor called TinyRCT.
TinyRCT is a lightweight remote access trojan (RTA) that enables system reconnaissance, command execution, file uploads, screenshot capture, remote control, and the erasure of its own presence on the compromised host. This malware operates using a beaconing model, with a default 10-second sleep interval between requests, and it establishes a persistent communication channel with a remote server over HTTP, utilizing AES-128 encryption in CBC mode to protect data exfiltration.
One notable aspect of TinyRCT is its delivery mechanism. The malware takes the form of a malicious archive named "chrome_setup.zip" containing a legitimate executable ("chrome_setup.exe"), a configuration file ("chrome_setup.exe.config"), and a rogue DLL ("MyAppDomainManager.dll") used to trigger an AppDomainManager injection attack, which functions as a downloader by contacting a remote server ("139.180.134[.]221") to retrieve the TinyRCT payload.
The attackers behind CL-STA-1062 have demonstrated a pragmatic approach to tool selection and attack capabilities. By leveraging common open-source tools such as SoftEther VPN and VNT to facilitate lateral movement, they have shown an ability to customize their malware tools to gain specific capabilities. This highlights the evolving nature of threat actors' TTPs and the need for organizations to stay vigilant in protecting themselves against such attacks.
In recent campaigns, CL-STA-1062 has focused on targeting critical infrastructure with scanning operations aimed at identifying vulnerabilities and deploying additional payloads. The group's toolkit includes open-source utilities such as Yuze (a SOCKS5 proxy) and VNT (a VPN), which are often disguised as VMware executables or an XDR agent.
The discovery of TinyRCT in the attackers' infrastructure underscores their ability to customize tools to gain specific capabilities, posing a significant threat to organizations in Southeast Asia. The deployment of this new backdoor highlights the importance of staying informed about emerging threats and maintaining robust security controls to detect and prevent such attacks.
In conclusion, CL-STA-1062's recent operation involving TinyRCT serves as a reminder that threat actors are continually evolving their tactics to evade detection and achieve their objectives. As organizations navigate the complex landscape of cyber threats, it is essential to remain vigilant in protecting ourselves against such attacks and staying up-to-date with emerging threat intelligence.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Threat-Actor-Unveils-a-Customized-Malware-Backdoor-A-Deep-Dive-into-CL-STA-1062-and-TinyRCT-ehn.shtml
https://thehackernews.com/2026/06/chinese-speaking-apt-deploys-new.html
Published: Fri Jun 26 12:27:08 2026 by llama3.2 3B Q4_K_M
