Chinese APT CL‑STA‑1062 Deploys Custom TinyRCT Backdoor Against Southeast Asian Government & Energy Networks
What Happened – Chinese‑speaking APT group CL‑STA‑1062 has been running persistent operations against Southeast Asian government agencies and state‑owned energy utilities since mid‑2025. The attackers gain initial foothold via ASPX web shells placed in vulnerable web applications, then install a bespoke backdoor called TinyRCT and use open‑source tools (SoftEther VPN, Mimikatz, JuicyPotato) to move laterally, exfiltrate data, and map networks.
Why It Matters for Compliance & Audit Readiness
- The intrusion exploits web‑application misconfigurations and demonstrates a gap in continuous control monitoring – a core SOC 2 requirement for the Security principle.
- Evidence of the malicious tooling and data exfiltration must be captured in real time to satisfy audit‑ready incident‑response documentation.
- Mapping these gaps to SOC 2 controls (e.g., CC6.1 Change Management, CC7.1 Vulnerability Management) and retaining continuous evidence is exactly what Verisq’s Control Mapping capability enables.
Who Is Affected – Government ministries, regulatory bodies, and state‑owned energy operators in Southeast Asia.
Recommended Actions –
- Conduct a rapid inventory of all public‑facing web applications and verify they are hardened against ASPX shell injection.
- Integrate continuous vulnerability scanning and automated evidence collection for remediation actions to meet SOC 2 audit expectations.
- Update incident‑response playbooks to include detection of custom backdoors (e.g., TinyRCT) and ensure logs are retained in a tamper‑evident Trust Center.
Source: Security Affairs
Technical Notes – Attack vector: exploitation of vulnerable web applications → ASPX web shells → deployment of TinyRCT backdoor (PerfWatson2.exe) and open‑source tools (SoftEther VPN, Mimikatz, JuicyPotato). Data was compressed into password‑protected RAR archives before exfiltration. Source: same as above