Back to Intelligence

APT CL-STA-1062: Defending Southeast Asian Critical Infrastructure Against TinyRCT Attacks

SA
Security Arsenal Team
June 28, 2026
6 min read

The threat landscape in Southeast Asia has escalated with the emergence of a persistent campaign by CL-STA-1062, a Chinese-speaking APT group actively targeting government and energy sector networks. According to Unit 42 researchers, this actor has shifted focus from East Asia to Southeast Asia, leveraging a novel unauthorized access mechanism dubbed "TinyRCT" alongside open-source tooling.

For defenders, the urgency is high. This is not theoretical scanning; it is a persistent operation aimed at critical infrastructure. The use of custom malicious software like TinyRCT suggests an intent to establish stealthy, long-term footholds. Security teams must immediately shift from passive monitoring to active threat hunting within their environments to identify signs of this specific intrusion set.

Technical Analysis

Affected Products & Platforms: While specific CVEs are not disclosed in this campaign, the targets are clearly identified as Government and Energy networks. The attack chain involves a mix of legitimate open-source tools (often used for living-off-the-land binaries or LOLBins) and a newly identified custom malware component, TinyRCT.

The TinyRCT Mechanism: TinyRCT functions as an unauthorized access mechanism, likely providing remote control capabilities (C2) that bypass standard security controls. Unlike commodity malware, this custom tool is designed for stealth and persistence in high-value environments.

Attack Chain Overview:

  1. Initial Access: Likely achieved via phishing or exploitation of internet-facing services (standard vectors for this actor set).
  2. Execution: Deployment of open-source tools for reconnaissance and lateral movement.
  3. Persistence: Installation of the TinyRCT mechanism to ensure continued access.
  4. Objectives: Exfiltration of sensitive data or positioning for disruptive action against energy grids.

Exploitation Status: Unit 42 has confirmed active exploitation. The presence of custom malware indicates a mature capability level.

Detection & Response

SIGMA Rules

The following Sigma rules are designed to detect the behavioral patterns associated with CL-STA-1062, specifically focusing on the use of open-source tools often seen in these campaigns and the persistence mechanisms likely employed by TinyRCT.

YAML
---
title: Potential CL-STA-1062 Open-Source Tool Usage
id: 8c4d2a1e-5f3b-4a2c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects execution of common open-source reconnaissance tools often used by CL-STA-1062 during initial access phases.
references:
  - https://attack.mitre.org/techniques/T1016/
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.discovery
  - attack.t1016
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    Image|endswith:
      - '\adfind.exe'
      - '\nmap.exe'
      - '\fping.exe'
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection_tools and not filter_legit
falsepositives:
  - Authorized administrative audits
level: high
---
title: Suspicious Service Installation TinyRCT Persistence
id: 9d5e3b2f-6a4c-5b3d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects creation of new services via sc.exe or PowerShell from unusual parent processes, indicative of custom malware like TinyRCT establishing persistence.
references:
  - https://attack.mitre.org/techniques/T1543.003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1543.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc:
    Image|endswith:
      - '\sc.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - 'create'
      - 'New-Service'
  selection_suspicious_parent:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\mshta.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate software installation
  - System administrator automation
level: high

KQL (Microsoft Sentinel / Defender)

Use these queries to hunt for signs of the TinyRCT backdoor activity and lateral movement associated with this campaign.

KQL — Microsoft Sentinel / Defender
// Hunt for network connections from processes typically abused by CL-STA-1062
// Look for connections to non-standard high ports often used for custom C2
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in (~"powershell.exe", ~"cmd.exe", ~"wscript.exe", ~"cscript.exe")
| where RemotePort >= 40000 and RemotePort <= 65000
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemotePort
| order by Timestamp desc


// Hunt for persistence via service creation matching the Sigma rule logic
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in (~"sc.exe", ~"powershell.exe")
| where ProcessCommandLine has_any ("create", "New-Service", "binPath=")
| where InitiatingProcessFileName !in (~"services.exe", ~"svchost.exe", ~"msiexec.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

Hunt for the TinyRCT persistence mechanism and open-source tool artifacts on endpoints.

VQL — Velociraptor
-- Hunt for services pointing to binaries in non-standard paths (TinyRCT persistence)
SELECT Name, DisplayName, ImagePath, StartType, State
FROM services()
WHERE ImagePath NOT LIKE 'C:\Windows\%' 
   AND ImagePath NOT LIKE 'C:\Program Files\%'
   AND ImagePath NOT LIKE 'C:\Program Files (x86)%'
   AND State != 'Stopped'


-- Hunt for recently modified binaries in System32 that could be custom malware
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="C:\Windows\System32\*.exe")
WHERE Mtime > now() - 30
   AND NOT FullPath IN ("C:\Windows\System32\cmd.exe", "C:\Windows\System32\powershell.exe", "C:\Windows\System32\regsvr32.exe")

Remediation Script (PowerShell)

Use this script to audit services and identify suspicious persistence mechanisms likely associated with TinyRCT or similar custom backdoors.

PowerShell
# Audit for suspicious services often used by CL-STA-1062 for persistence
Write-Host "[+] Auditing services for suspicious paths..." -ForegroundColor Cyan

$suspiciousServices = Get-WmiObject Win32_Service | Where-Object { 
    $_.PathName -notmatch 'System32' -and 
    $_.PathName -notmatch 'Program Files' -and 
    $_.State -ne 'Stopped' 
}

if ($suspiciousServices) {
    Write-Host "[!] WARNING: Found services running outside standard directories:" -ForegroundColor Red
    foreach ($svc in $suspiciousServices) {
        Write-Host "Name: $($svc.Name) | Path: $($svc.PathName) | State: $($svc.State)" -ForegroundColor Yellow
    }
} else {
    Write-Host "[-] No suspicious services found." -ForegroundColor Green
}

# Check for recent execution of open-source recon tools
Write-Host "[+] Checking for recent execution of common recon tools..." -ForegroundColor Cyan

$events = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName']='*adfind.exe' or Data[@Name='NewProcessName']='*nmap.exe']]" -ErrorAction SilentlyContinue

if ($events) {
    Write-Host "[!] Found execution events for reconnaissance tools." -ForegroundColor Red
    $events | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[-] No suspicious recon tool execution found in Security logs." -ForegroundColor Green
}

Remediation

Immediate remediation steps for organizations potentially affected by CL-STA-1062:

  1. Isolate Affected Systems: If the detection rules trigger, immediately isolate the host from the network to prevent lateral movement.
  2. Block C2 Infrastructure: Obtain the Indicators of Compromise (IOCs) from the Palo Alto Networks Unit 42 report and block associated IP addresses and domains at the perimeter and proxy level.
  3. Audit User Accounts: Review logs for suspicious authentication events, particularly on accounts with privileged access to OT or energy management systems. Reset credentials for any impacted users.
  4. Remove Persistence: Identify and delete the TinyRCT service or binary. Use the PowerShell audit script above to locate the service, then use sc.exe delete [ServiceName] to remove it.
  5. Network Segmentation: Ensure strict segmentation between IT and OT networks. The energy sector is a primary target; verify that jump hosts are hardened and monitored extensively.
  6. Patch Management: While no specific CVE is detailed in this alert, ensure all systems are patched against the latest vulnerabilities to prevent initial access vectors.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirapt-cl-sta-1062tinyrctcritical-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action