threat-wire
China-Linked Group Hits Power and Water Utilities in Asia
A China-linked group tracked as CL-STA-1062 has compromised at least 10 electricity, water, and government organizations across Southeast Asia over the past year using a new stealth backdoor called TinyRCT. Palo Alto Networks says the group may be selling its footholds to other attackers rather than acting alone.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
From web servers in Taiwan to power grids in Southeast Asia
Palo Alto Networks' Unit 42 published research on June 25 tracking a Chinese-language threat group it calls CL-STA-1062 as it shifted targets over the past year, moving from attacking web-hosting infrastructure in Taiwan to breaking into electricity and water providers, government agencies, and military organizations across Southeast Asia. The firm has investigated more than 10 separate intrusions by the group and has high confidence it is the same actor Cisco Talos previously tracked as UAT-7237.
TinyRCT: small, stealthy, and built to erase itself
The group's calling card is TinyRCT, a lightweight backdoor written in C# that Unit 42 first detected in 2025. It runs arbitrary commands, updates its own configuration, and fingerprints the systems it lands on, all while working to dodge analysis. If an operator suspects they've been spotted, TinyRCT can self-destruct on command, deleting the forensic trail behind it. Its command-and-control parsing code contains comments written in simplified Chinese. To blend in, the malware masquerades as PerfWatson2.exe, a real Visual Studio telemetry component, while a companion tool renames SoftEther VPN binaries to look like VMware or XDR agent executables.
Once inside, the group has moved laterally between multiple government agencies linked within the same country, and in one case stayed inside a victim's network for months, running the full chain from initial access to data exfiltration. In other intrusions it stopped after gaining a foothold and fingerprinting the environment, which is why Unit 42 assesses, with low confidence, that CL-STA-1062 may function as an initial access broker: breaking in and handing access to another group rather than finishing the job itself. Researchers watched the group scan a water utility for vulnerabilities in one case but couldn't confirm whether it got in, and found no evidence of stolen data tied to electricity systems or operational technology in any of the intrusions investigated so far.
Detection signals to hunt for
- A process named PerfWatson2.exe running outside of a Visual Studio installation, or on a server that has no reason to run Visual Studio telemetry at all.
- SoftEther VPN binaries present on a system but renamed to resemble VMware or XDR/EDR agent executables, a mismatch endpoint tools rarely flag on their own.
- Outbound connections to unfamiliar infrastructure from systems that support critical operations (SCADA gateways, utility billing servers, government case-management systems), especially from accounts recently used to log into a linked government agency.
- Any sign of vulnerability scanning aimed at utility or public-sector systems, even without a confirmed breach. Unit 42 observed reconnaissance against a water utility that may not have progressed further.
The activity fits a pattern researchers have tracked since 2020: Chinese state-linked groups shifting from pure espionage in the region toward long-term, pre-positioned access, similar to the strategy documented in Volt Typhoon's campaigns in the US. Unit 42 says the volume of new CL-STA-1062 compromises has dropped compared to late 2025, though that could mean reduced activity or simply better evasion.
None of this is aimed at businesses outside the region or outside critical infrastructure directly, and Unit 42 has not linked the group to any campaign against private-sector SMBs. The reason it belongs on any security team's radar anyway is the initial access broker angle: if CL-STA-1062 is establishing footholds and passing them on rather than running full operations itself, any vendor, contractor, or managed service provider connected to a targeted utility or government agency inherits some of that exposure through the supply chain, whether or not they ever see TinyRCT directly.