HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Chinese APT CL‑STA‑1062 Deploys Custom TinyRCT Backdoor Against Southeast Asian Government & Energy Networks

Chinese‑speaking APT group CL‑STA‑1062 used ASPX web shells and a bespoke TinyRCT backdoor to breach multiple Southeast Asian government and state‑owned energy entities, exfiltrating sensitive data. The incident highlights the need for continuous control mapping and audit‑ready evidence in SOC 2 programs.

LiveThreat™ Intelligence · 📅 June 26, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Chinese APT CL‑STA‑1062 Deploys Custom TinyRCT Backdoor Against Southeast Asian Government & Energy Networks

What Happened – Chinese‑speaking APT group CL‑STA‑1062 has been running persistent operations against Southeast Asian government agencies and state‑owned energy utilities since mid‑2025. The attackers gain initial foothold via ASPX web shells placed in vulnerable web applications, then install a bespoke backdoor called TinyRCT and use open‑source tools (SoftEther VPN, Mimikatz, JuicyPotato) to move laterally, exfiltrate data, and map networks.

Why It Matters for Compliance & Audit Readiness

  • The intrusion exploits web‑application misconfigurations and demonstrates a gap in continuous control monitoring – a core SOC 2 requirement for the Security principle.
  • Evidence of the malicious tooling and data exfiltration must be captured in real time to satisfy audit‑ready incident‑response documentation.
  • Mapping these gaps to SOC 2 controls (e.g., CC6.1 Change Management, CC7.1 Vulnerability Management) and retaining continuous evidence is exactly what Verisq’s Control Mapping capability enables.

Who Is Affected – Government ministries, regulatory bodies, and state‑owned energy operators in Southeast Asia.

Recommended Actions

  • Conduct a rapid inventory of all public‑facing web applications and verify they are hardened against ASPX shell injection.
  • Integrate continuous vulnerability scanning and automated evidence collection for remediation actions to meet SOC 2 audit expectations.
  • Update incident‑response playbooks to include detection of custom backdoors (e.g., TinyRCT) and ensure logs are retained in a tamper‑evident Trust Center.

Source: Security Affairs

Technical Notes – Attack vector: exploitation of vulnerable web applications → ASPX web shells → deployment of TinyRCT backdoor (PerfWatson2.exe) and open‑source tools (SoftEther VPN, Mimikatz, JuicyPotato). Data was compressed into password‑protected RAR archives before exfiltration. Source: same as above

📰 Original Source
https://securityaffairs.com/194312/intelligence/chinese-apt-cl-sta-1062-expands-attacks-on-southeast-asian-critical-infrastructure-with-custom-malware.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →