TA2026181
Threat Advisory • Attack Report
The Chinese-speaking activity cluster CL-STA-1062 has been deploying the custom TinyRCT backdoor against Southeast Asian government bodies and state-owned critical energy infrastructure since mid-2025, combining open-source tooling with a bespoke C# .NET implant delivered through an AppDomainManager injection chain.
TA2026181A1CL-STA-1062TinyRCTSection 01
A Chinese-speaking activity cluster tracked as CL-STA-1062 has been quietly carving its way through Southeast Asian government bodies and state-owned critical energy infrastructure since mid-2025. Operating from a hybrid toolkit of well-worn open-source utilities and a brand-new bespoke backdoor named TinyRCT, the actor compromises victims via ASPX web shells on vulnerable web applications, pivots through networks using SoftEther VPN, VNT, and Yuze tunneling tools disguised as VMware or XDR binaries, and exfiltrates sensitive data — including database contents and full web server source trees — in password-protected RAR archives.
The newly documented TinyRCT, a lightweight C# .NET implant delivered through an AppDomainManager injection chain inside a trojanized chrome_setup.zip package, gives the CL-STA-1062 operator arbitrary command execution, file enumeration and exfiltration, screen capture, and a clean self-destruct option, all wrapped in AES-128-encrypted HTTP traffic.
Section 02
The Chinese-speaking advanced persistent threat (APT) actor tracked as CL-STA-1062 has been linked to the new custom backdoor TinyRCT, deployed in a series of cyberattacks targeting government entities and critical infrastructure across Southeast Asia. The intrusions typically begin with the attackers exploiting vulnerabilities in public-facing web applications and dropping ASPX web shells onto the compromised servers. These web shells become the operator’s central console, used to run arbitrary commands, stage additional tooling, and conduct initial system and network reconnaissance. Alongside the web shell path, researchers have documented a parallel delivery chain that begins with a malicious archive named chrome_setup.zip, which bundles a legitimate signed chrome_setup.exe with a malicious chrome_setup.exe.config and a rogue MyAppDomainManager.dll. When a user runs the trusted executable from the Downloads folder, the .NET runtime parses the adjacent configuration file and obediently loads the malicious DLL as the application’s domain manager, allowing the attacker’s code to execute inside a signed and trusted process from the very first instruction.
Once the loader passes its environment check, it reaches out to the staging server at 139[.]180[.]134[.]221 to pull down PerfWatson2.exe, the TinyRCT payload, and drops it into %LOCALAPPDATA% under a filename that mimics the legitimate Microsoft Visual Studio telemetry component. Persistence is established through a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0, configured to run at the highest available privileges on every user logon. TinyRCT itself runs its own environment check, confirming it was launched from %LOCALAPPDATA% before doing anything else, then fingerprints the host by collecting the current username, machine name, OS version, local IP addresses, execution path, process ID, and a freshly generated GUID, which it bundles and ships to the C2 over an encrypted HTTP POST.
For lateral movement and broader access, the CL-STA-1062 operators lean heavily on open-source tools. Mimikatz is used to harvest credentials, JuicyPotato is deployed for local privilege escalation, and fscan handles network and vulnerability enumeration. Traceroute helps the attackers map paths between government networks for follow-on compromise. Tunneling and command-and-control are routed through SoftEther VPN, Yuze (a SOCKS5 proxy), and VNT (an open-source VPN), each disguised as legitimate VMware components such as vmtools.exe and vmwared.exe or as an endpoint security tool named XDRAgent.exe. In one observed intrusion, the attackers used a web shell to extract a password-protected RAR archive containing a SoftEther VPN binary masquerading as vmtools.exe, and in another they registered a scheduled task to execute a VNT binary at login under a VMware-themed name.
Data exfiltration by TinyRCT is methodical and quiet. The backdoor polls the C2 at 45[.]32[.]113[.]172 every ten seconds over plain HTTP, encrypting every byte of payload with AES-128 in CBC mode using the hardcoded key ThisIsASecretKey87654321 and a null initialisation vector. When tasked to exfiltrate a file, the malware compresses the contents with gzip, encrypts the result, and ships it in 40 KB chunks to keep the network footprint discreet. Screenshots are captured as JPEG, compressed, encrypted, and exfiltrated through the same channel. Bulk theft is handled differently: the attackers exfiltrated MSSQL database contents via direct query, archived entire web server source code directories into password-protected RAR files for staging, and routed bulk traffic through their SoftEther and VNT tunnels. When the operator decides the host has served its purpose, the self-destruct command removes the GoogleUpdater scheduled task and triggers a legacy choice.exe-based self-deletion routine that introduces a three-second delay to guarantee the malware process has fully exited and released its file handle before the executable is wiped from disk.
Section 03
Deploy application control and behavioral monitoring policies that block or alert on execution of unsigned or unknown binaries running from %LOCALAPPDATA%, %USERPROFILE%\Downloads, and other user-writable paths, since TinyRCT and its loader both rely on these directories for execution context.
Audit endpoints for .NET applications running with adjacent .config files that reference unsigned application domain manager DLLs in non-standard paths. Treat any executable paired with a MyAppDomainManager.dll or comparable injection-ready configuration as suspicious until proven otherwise.
Generate high-severity alerts on schtasks invocations that combine /rl highest with /sc onlogon, especially when the task name impersonates Google Updater, Visual Studio, or other widely trusted vendor components.
Prioritize patching of internet-exposed ASPX, IIS, and web application stacks, perform regular web shell scans across web roots, and enforce strict outbound network controls from web servers to disrupt the actor’s preferred initial-access path.
Enforce least-privilege access, disable interactive logons for service accounts, rotate domain administrator credentials regularly, and deploy LSASS protection (Credential Guard, RunAsPPL) to blunt Mimikatz-style credential dumping.
Apply strict network segmentation between internet-facing systems, internal government networks, and operational technology environments to limit the lateral movement opportunities that CL-STA-1062 has exploited to pivot between government entities and energy operators.
Run regular threat hunts for AppDomainManager hijacking artifacts, GoogleUpdaterTaskSystem-style scheduled tasks, choice.exe-based self-deletion patterns, and curl-driven exfiltration of system enumeration data, particularly in government and energy sector environments across the Asia-Pacific region.
Section 04
| Type | Value |
|---|---|
| SHA256 | 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1 dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472 |
| IPv4 | 139[.]180[.]134[.]221 202[.]182[.]102[.]5 45[.]76[.]210[.]43 45[.]32[.]113[.]172 |
| URLs | hxxp[:]//139[.]180[.]134[.]221/sdksdk608/1[.]zip hxxp[:]//139[.]180[.]134[.]221/sdksdk608/anydesk_0117[.]zip hxxp[:]//139[.]180[.]134[.]221/sdksdk608/hamcore[.]se2 hxxp[:]//139[.]180[.]134[.]221/sdksdk608/httpdf hxxp[:]//139[.]180[.]134[.]221/sdksdk608/vpn_bridge[.]config hxxp[:]//139[.]180[.]134[.]221/sdksdk608/win-vpn[.]rar hxxp[:]//139[.]180[.]134[.]221/PerfWatson2[.]exe |
Section 05
Section 06