Introduction
We are tracking a concerning shift in the threat landscape targeting Southeast Asia. Palo Alto Networks Unit 42 has attributed a new campaign to the Chinese-speaking threat actor CL-STA-1062. This actor is actively deploying a custom unauthorized access mechanism (UAM) dubbed TinyRCT against state-owned enterprises in the energy and government sectors.
This is not a commodity crime campaign; it is a focused, nation-state aligned operation aimed at critical infrastructure. The deployment of TinyRCT indicates a desire for persistent, covert access rather than immediate disruption. Defenders in the region, particularly those managing operational technology (OT) and government networks, must assume compromise and act immediately to hunt for this specific mechanism.
Technical Analysis
Threat Actor: CL-STA-1062 (Chinese-speaking APT) Target: Government entities and Critical Infrastructure (Energy sector) in Southeast Asia. Tool: TinyRCT (Custom Unauthorized Access Mechanism)
Mechanism of Action: TinyRCT functions as a lightweight backdoor designed to provide unauthorized remote access. While specific implementation details are still being analyzed, custom UAMs like this typically bypass standard authentication mechanisms, often leveraging:
- Memory-Only Execution: Residing solely in RAM to evade disk-based signature scanners.
- Protocol Tunneling: Mimicking legitimate traffic (e.g., HTTP/S or custom RPC implementations) to blend into network noise.
- Persistence: Establishing footholds via scheduled tasks, services, or registry modifications that survive reboots.
Exploitation Status: Active. This campaign is currently in-the-wild. There is no associated CVE at this time; the threat relies on the deployment of the TinyRCT tool itself, likely following initial access achieved via phishing, valid credentials abuse, or unpatched services. Because this is a custom tool, traditional antivirus signatures may be ineffective until broad behavioral heuristics are updated.
Detection & Response
Detecting custom APT tooling requires a shift from signature-based detection to behavioral hunting. The following rules and queries are designed to catch the execution and network artifacts associated with TinyRCT and similar backdoors.
SIGMA Rules
---
title: Potential TinyRCT Backdoor - Suspicious Service Installation
id: 8a4b1c92-0f3e-4a5d-9b2c-3d4e5f6a7b8c
status: experimental
description: Detects the installation of services with suspicious characteristics commonly used by custom backdoors like TinyRCT, such as binary paths in user directories or unusual command lines.
references:
- https://attack.mitre.org/techniques/T1543/
author: Security Arsenal
date: 2026/06/15
tags:
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'create'
- 'config'
CommandLine|contains:
- 'sc.exe'
- 'powershell.exe -command New-Service'
CommandLine|contains:
- 'binPath='
filter_legit:
CommandLine|contains:
- 'C:\\Windows\\System32\\'
- 'C:\\Program Files\\'
- 'C:\\Program Files (x86)\\'
condition: selection and not filter_legit
falsepositives:
- Legitimate software installation by administrators
level: high
---
title: Suspicious Network Connection from System Process
id: 9b5c2d03-1g4f-5b6e-0c3d-4e5f6g7h8i9j
status: experimental
description: Detects system processes (like svchost or generic runtime hosts) initiating outbound connections to non-standard ports or external IPs, characteristic of injected backdoor code.
references:
- https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/06/15
tags:
- attack.defense_evasion
- attack.t1055.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\\svchost.exe'
- '\\rundll32.exe'
- '\\regsvr32.exe'
DestinationPort|not:
- 80
- 443
- 8080
condition: selection
falsepositives:
- Windows Update traffic
- Legitimate system management tools
level: medium
---
title: TinyRCT Indicators - Unsigned Process in System Path
id: 0c6d3e14-2h5g-6c7f-1d4e-5f6g7h8i9j0k
status: experimental
description: Detects execution of unsigned binaries from system directories, a common technique for custom backdoors attempting to appear system-native.
references:
- https://attack.mitre.org/techniques/T1036/
author: Security Arsenal
date: 2026/06/15
tags:
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'C:\\Windows\\System32\\'
- 'C:\\Windows\\SysWOW64\\'
Signed: 'false'
condition: selection
falsepositives:
- Rare instances of legitimate unsigned internal tools
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for processes establishing network connections that are unusual for their specific parent process or user context, targeting the C2 behavior of TinyRCT.
let HighRiskPorts = dynamic([4444, 5555, 6666, 8080, 8888, 9000, 9999]);
DeviceNetworkEvents
| where InitiatingProcessFolderPath !contains "Program Files"
and InitiatingProcessFolderPath !contains "Windows"
| where RemotePort in (HighRiskPorts) or RemotePort > 1024
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount=count(), DistinctIPs=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP
| where ConnectionCount > 5
| project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, ConnectionCount
Velociraptor VQL
This VQL artifact hunts for active network connections established by binaries located in suspicious user-writable directories, a common placement for custom backdoors.
-- Hunt for active connections from suspicious directories
SELECT
Pid,
Name,
Exe,
Cmdline,
Username
FROM pslist()
WHERE Exe =~ 'C:\\Users\\.*\\AppData\\'
OR Exe =~ 'C:\\ProgramData\\'
OR Exe =~ 'C:\\Windows\\Temp\\'
JOIN ON Pid
SELECT
Pid,
RemoteAddress,
RemotePort,
State
FROM netstat()
WHERE State = 'ESTABLISHED'
Remediation Script (PowerShell)
This script helps identify services with binary paths pointing to non-standard locations, which is a key persistence mechanism for TinyRCT. Run with administrative privileges.
# Audit for potentially malicious services used for persistence (TinyRCT)
Write-Host "[+] Auditing services for suspicious binary paths..."
$suspiciousPaths = @(
"$env:USERPROFILE",
"$env:PUBLIC",
"$env:TEMP",
"C:\PerfLogs",
"C:\Windows\Tasks"
)
Get-WmiObject Win32_Service | Where-Object {
$_.State -eq 'Running' -and
$_.PathName -ne $null -and
($suspiciousPaths | Where-Object { $_.PathName -like "*$_*" })
} | ForEach-Object {
Write-Host "[!] Suspicious Service Found:" -ForegroundColor Red
Write-Host " Name: $($_.Name)"
Write-Host " PathName: $($_.PathName)"
Write-Host " StartMode: $($_.StartMode)"
Write-Host " ProcessId: $($_.ProcessId)"
}
Write-Host "[+] Audit complete."
Remediation
- Isolate Affected Systems: Immediately identify and isolate hosts exhibiting the behaviors described above from the network, especially segments bridging IT and OT environments.
- Credential Reset: Assume credentials have been harvested. Force a reset of all privileged credentials (domain admin, local admin, service accounts) on affected segments.
- Persistence Removal: Use the provided PowerShell script and manual forensics to identify the specific file path used by TinyRCT. Delete the artifact and remove any associated registry keys or services.
- Network Segmentation: Review East-West traffic logs. Ensure that critical systems (SCADA, energy management) are strictly segmented from general-purpose IT networks.
- Threat Hunting: Deploy the provided Sigma rules to your SIEM. Conduct a retrospective search for the last 90 days to identify previous access attempts.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.