What happened
Cybersecurity researchers at Palo Alto Networks’ Unit 42 have identified a China-linked threat group, CL-STA-1062, targeting critical infrastructure organizations across Southeast Asia. According to the company’s latest findings, the group has shifted its focus from earlier attacks on web-hosting infrastructure in Taiwan to campaigns against electricity and water providers, along with government and military organizations in the region.
Researchers investigated more than 10 incidents involving the group. In several cases, the attackers moved laterally between connected organizations or multiple government agencies within the same country, demonstrating an ability to expand their access after the initial compromise.
A key element of the campaign is the deployment of a previously undocumented backdoor called TinyRCT. The lightweight remote access tool is designed to evade detection through anti-analysis capabilities, including a self-destruct feature that can erase forensic evidence if the malware detects an investigation. The malware also enables remote command execution, system reconnaissance, and data collection.
Yoni Allon, Senior Vice President of Software Engineering at Palo Alto Networks, said the group’s successful compromises of critical infrastructure make it particularly concerning. While researchers observed scanning activity against additional infrastructure targets, they could not confirm whether every attempted intrusion was successful.
Who is affected
The campaign primarily targets organizations operating critical infrastructure in Southeast Asia, including electricity and water utilities. Government agencies and military organizations have also been affected.
While Palo Alto Networks did not disclose the names of impacted countries, researchers believe the group is likely the same actor previously tracked by Cisco Talos as UAT-7237, which had targeted organizations in Taiwan.
Researchers have not observed malware specifically targeting operational technology or industrial control systems. However, the attackers’ ability to gain access to organizations responsible for essential services raises concerns about long-term espionage or future disruptive operations.
Why CISOs should care
The campaign highlights the continued interest of nation-state actors in establishing persistent access inside critical infrastructure environments. Even when immediate disruption is not observed, attackers may be positioning themselves for future intelligence gathering or strategic operations.
TinyRCT’s stealth features, including its ability to masquerade as legitimate software and remove evidence of its presence, make detection significantly more difficult. The group’s use of legitimate tools and renamed binaries further demonstrates how advanced attackers blend into normal enterprise activity.
For security leaders, the findings reinforce the importance of monitoring lateral movement, strengthening visibility across enterprise environments, and investigating suspicious administrative activity before attackers can establish long-term persistence.
3 practical actions
- Review endpoint detection and logging capabilities to identify stealthy malware, renamed binaries, and suspicious remote administration activity.
- Strengthen network segmentation and monitor for lateral movement between business units, government agencies, or critical operational environments.
- Conduct threat hunting focused on persistence mechanisms, remote access tools, and unusual command execution to detect hidden compromises before they escalate.

