Author: anonymousmedia_tal70o

Ravie LakshmananJun 26, 2026Cyber Espionage / Malware

A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia.

The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks Unit 42 said shares overlaps with UAT-7237, a hacking group that was first flagged by Cisco Talos in August 2025 in relation to a campaign directed against web infrastructure entities in Taiwan.

Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region.

“From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit,” Unit 42 said in a technical report. “While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor.”

TinyRCT is equipped to run arbitrary commands, enumerate files and exfiltrate them, capture the device’s screen, and delete itself from the compromised host.

In one campaign detected in September 2025, the threat actor is said to have infiltrated a Southeast Asian government entity and deployed a web shell to exfiltrate data from an MS SQL server. During the same attack, the threat actors have been found to conduct network reconnaissance on a separate government entity in the same country.

“This suggests an effort to identify lateral movement opportunities and broaden their access. In one case, we observed the attacker staging and exfiltrating an entire directory of web server source code from the government entity,” Unit 42 said, adding it detected the breach of at least 10 different organizations in Southeast Asia between October and December 2025.

Since at least mid-2025, CL-STA-1062 has trained its sights on the critical infrastructure, with the adversary scanning multiple entities in the region for vulnerabilities and then establishing a foothold via ASPX web shells that facilitate initial reconnaissance and outbound requests from the infected networks to attacker-controlled infrastructure, leading to the deployment of additional payloads.

This includes SoftEther VPN components and RAR archives containing the group’s toolset, including open-source utilities such as Yuze (a SOCKS5 proxy) and VNT (a VPN), often disguising them as VMware executables or an XDR agent (e.g., “XDRAgent.exe,” “vmtools.exe,” and “vmwared.exe”).

Further analysis of the campaign’s infrastructure has led to the discovery of a previously undocumented .NET backdoor dubbed TinyRCT (“PerfWatson2.exe”), a lightweight remote access trojan that enables system reconnaissance, command execution, file uploads, screenshot capture, remote control, and wipe traces of itself, while taking steps to avoid running in sandboxed environments.

It establishes a persistent communication channel with a remote server (“45.32.113[.]172”) over HTTP, but encrypts the exchanged data using AES-128 encryption in CBC mode.

“The malware operates on a beaconing model, with a default 10-second sleep interval between requests,” Unit 42 explained. “It polls the C2 server for instructions using GET requests, while it sends exfiltrated data via POST requests.”

As for how TinyRCT is delivered, it takes the form of a malicious archive named “chrome_setup.zip” containing a legitimate executable (“chrome_setup.exe”), a configuration file (“chrome_setup.exe.config”), and a rogue DLL (“MyAppDomainManager.dll”) that’s used to trigger an AppDomainManager injection attack to load the malicious DLL, which functions as a downloader by contacting “139.180.134[.]221” to retrieve “PerfWatson2.exe.”

“The combination of tools observed in this activity cluster reflects a pragmatic approach to tool selection and attack capabilities,” Unit 42 concluded. “The attackers behind this cluster continue to leverage common open-source tools such as SoftEther VPN and VNT to facilitate lateral movement.”

“Our discovery of the TinyRCT backdoor in the attackers’ infrastructure underscores their ability to customize tools to gain specific capabilities. The combination of targeting critical infrastructure and the development of custom malware suggests that CL-STA-1062 activity will continue to pose a threat to the region.”

Swati KhandelwalJun 26, 2026Secure Messaging / Social Engineering

The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key.

Hand it over once, and the attacker can restore the account’s backup, read the private and group message history, and take over the account. Worse, the key keeps working. Make a new account on the same phone number, and the old key can still be used against it, the advisory warns.

The fix is blunt: generate a new key in Settings, which kills the old one for future backup downloads, and accept that anything the attacker already pulled is gone.

The updated advisory, PSA I-062626-PSA, adds two public tracking names the March notice lacked: UNC5792 and UNC4221. The FBI ties the activity to multiple Russian Intelligence Services (RIS) groups, including FSB officers embedded with the FSB Border Guards and others working for the Russian military services. The campaign hits Signal and WhatsApp accounts; the new recovery-key tactic the advisory describes is specific to Signal.

The targets are individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March notice said the broader campaign had already compromised thousands of accounts worldwide.

The phishing message poses as Signal support. Earlier waves asked for SMS verification codes and account PINs, or used doctored “group invite” links that silently linked an attacker’s device to the account.

The updated version walks the target through turning on Signal backups, opening the Recovery Key, and pasting it into the chat. The advisory prints two sample messages: one dressed up as a mandatory two-factor rollout, the other as an urgent “data recovery” fix for messages supposedly at risk of loss.

As in March, the agencies are clear that none of these breaks Signal’s encryption or the app itself. The actors compromise individual accounts through social engineering, then walk in through a legitimate feature.

Alongside the update, the State Department’s Rewards for Justice program is offering up to $10 million for information on UNC5792.

The activity overlaps with warnings from Dutch intelligence (AIVD and MIVD), Germany’s BfV and BSI, and France’s ANSSI earlier this year. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked-device feature in early 2025, and saw the same tradecraft turn up against WhatsApp and Telegram.

What to do now

• Treat any in-app message from “Signal support” as hostile. Real support does not message you inside the app to ask for codes, PINs, or your Recovery Key.
• Never paste your Backup Recovery Key, verification code, or PIN into a chat. Nothing legitimate asks for them that way.
• Open Settings, check Linked Devices, and remove anything you do not recognize.
• If you think you handed over your Recovery Key, generate a new one in Settings now, and assume any backup made before that is already in someone else’s hands.

The March notice warned the tactics would shift. They have, from chasing one-time codes to taking the key that opens the entire archive. The encryption holds. The account is the weak point, and the person holding it is the target.

A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.

Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. 

“The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region,” the Russian cybersecurity vendor said.

The campaign does not exhibit direct links to any known threat actor or group, although the operators have utilized several open-source post-compromise tools like FScan and Pillager, commonly put to use by Chinese-speaking developers. It’s believed that the campaign is the handiwork of a Chinese-speaking threat actor.

Attack chains involve the two initial access pathways: the exploitation of known Exchange Server flaws, such as CVE-2021-26855 (aka ProxyLogon), to strike the Indonesian diplomatic entity, or through a path traversal vulnerability impacting Openfire (CVE-2023-32315) in the case of Taiwanese software development organizations, or a critical remote code execution bug in GeoServer (CVE-2024-36401) to target a Colombian organization.

Other remote code execution and authentication bypass vulnerabilities weaponized by the threat actor are listed below –

It’s assessed that the threat actors are likely employing publicly available proof-of-concept (PoC) exploits hosted on GitHub or other open-source platforms to gain initial access in an opportunistic manner. Upon gaining a foothold, the threat actors establish persistence by deploying web shells to trigger a DLL side-loading chain involving “SystemSettings.exe” (CVE-2021-27076) to deliver SharkLoader (“SystemSettings.dll”).

A second method used by StrikeShark to distribute the loader is via custom dropper executables masquerading as legitimate software installers or applications like Google Update and Cisco AnyConnect, and executing the malware loader once the installation process completes. The method by which these droppers are delivered is currently unknown.

“In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file,” Kaspersky explained. “However, not all samples employ this technique, as some droppers function solely as a delivery mechanism for SharkLoader without presenting any lure content.”

Once the DLL is loaded, SharkLoader implements what’s called Perfect DLL Hijacking, a technique detailed by security researcher Elliot Killick in October 2023, to execute malicious code while bypassing Windows Loader Lock, a system-wide lock held by the operating system when loading and unloading DLLs.

Specifically, it’s engineered to decrypt and load “DscCoreR.mui,” which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state, along with two other components –

• SyncRes.dat, which installs multiple Windows API hooks by using the Microsoft Detours library to monitor exceptions generated during runtime.
• MinHook DLL, which installs API hooks for the VirtualAlloc and Sleep functions to copy the decompressed Cobalt Strike Beacon into the allocated memory region using VirtualAlloc. The Sleep-related hook is triggered when the Beacon calls Sleep, likely in an attempt to evade memory scanning techniques that identify executable (RWX) code regions in memory.

“Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon,” Kaspersky explained.

While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of “SystemSettings.exe” either when a user logs in, or even if no user is logged in.

The attacks also involve an extensive reconnaissance phase following initial compromise and persistence, with the threat actor engaging in Active Directory enumeration, credential theft by targeting the LSASS process and the NTDS database file, and deploying open-source scanners and information gathering tools like FScan, Searchall, and Pillager.

Given the absence of active data exfiltration, it’s unclear what the end goals of StrikeShark are. However, the targeting of government and software development organizations suggests a cyber espionage bent with a potential interest in hoovering political intelligence or intellectual property.

“At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems,” Kaspersky said. “The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.”