Chinese Cyber Group Targets Southeast Asian Utilities with New Backdoor

Critical infrastructure providers in Southeast Asia are facing targeted cyber intrusions from a China-linked group using a novel backdoor tool.

ThreatVectr Newsdesk· 3 min read
Aerial view of a Southeast Asian power plant at night, with a cybersecurity threat theme
Share

Key points

  • CL-STA-1062 targeted utilities and government entities in Southeast Asia in 2025.
  • The group uses a new backdoor tool called TinyRCT for espionage.
  • Palo Alto Networks researchers have observed over 10 attacks by the group.

A China-linked hacking group, known as CL-STA-1062, has shifted its focus from Taiwan to critical infrastructure providers in Southeast Asia. The group has targeted electricity and water providers, as well as several government and military organizations in the region, according to cybersecurity firm Palo Alto Networks.

Researchers from Palo Alto Networks published a report last week detailing these incidents. They have investigated more than 10 attacks by CL-STA-1062, revealing a pattern of targeting multiple government agencies or related organizations within the same country. The group has been noted for its ability to penetrate and maintain access to these critical systems, raising concerns about its potential impact on national security.

A significant aspect of CL-STA-1062's operations is their use of a new backdoor tool called TinyRCT. This tool allows the group to spy on system users, execute remote commands, and exfiltrate data, all while avoiding detection. TinyRCT is a lightweight piece of software written in C# — a programming language commonly used for developing a wide range of applications — and features self-destruct capabilities to erase evidence if its activities are discovered.

Palo Alto Networks identified the group as likely being previously detected by Cisco Talos researchers under a different name, UAT-7237, which had focused on targets in Taiwan. While Palo Alto Networks did not specify the countries affected by the recent attacks, they expressed high confidence that CL-STA-1062 and UAT-7237 are the same entity.

Should customers be worried?

The primary concern for individuals using services provided by compromised utilities is potential disruption. However, Palo Alto Networks has not observed the exfiltration of any electricity-related data or malware specifically targeting electricity operations. This suggests that the group may act as an initial access broker, gaining entry to systems before passing control to others.

For ordinary users, the key risk lies in potential service disruptions or data breaches affecting utility providers. Keeping informed about any notifications from service providers and monitoring account statements for unusual activity are prudent measures.

In 2025, Palo Alto Networks' researchers observed continued operations from CL-STA-1062, though the intensity appears to have diminished since late that year. Whether this reduction indicates a decrease in activity or an improvement in the group's stealth remains unclear.

As the cybersecurity landscape evolves, groups targeting critical infrastructure underscore the importance of robust security measures to protect essential services. Utilities and government entities must remain vigilant to prevent unauthorized access and safeguard against espionage activities.

© 2026 Threat Vectr