TinyRCT
TinyRCT is a previously undocumented lightweight C#/.NET remote access trojan and backdoor for Windows used by the Chinese-speaking threat cluster CL-STA-1062, which overlaps with UAT-7237. It has been observed in espionage-focused intrusions targeting government entities and state-owned critical energy infrastructure in Southeast Asia. Reported capabilities include arbitrary command execution via cmd.exe, remote host management, directory and file enumeration, file reading and exfiltration, screenshot capture as JPEG, downloading files from URLs, and self-deletion. TinyRCT communicates with hardcoded command-and-control infrastructure over plain HTTP, using AES-128-CBC encryption; reported details include C2 address 45.32.113[.]172, a default 10-second polling interval, and a hardcoded key "ThisIsASecretKey87654321." File exfiltration was described as occurring in 40 KB gzip-compressed AES-encrypted chunks. The malware contains a Simplified Chinese string in its code. Unit 42 found the payload hosted on attacker infrastructure at 139.180.134[.]221 as PerfWatson2.exe, a filename chosen to mimic a legitimate Microsoft Visual Studio telemetry component. TinyRCT was delivered through a DLL side-loading/AppDomainManager injection chain using a malicious archive named chrome_setup.zip containing a legitimate signed chrome_setup.exe, a malicious chrome_setup.exe.config, and a rogue MyAppDomainManager.dll. The loader checked for execution from the user Downloads directory, retrieved PerfWatson2.exe from the staging server, dropped it into %LOCALAPPDATA%, and created a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 for persistence. TinyRCT itself terminates if not running from %LOCALAPPDATA%. Its self-destruct routine uses choice.exe to delay deletion and removes its persistence scheduled task. Reported related indicators include 139.180.134[.]221, 45.32.113[.]172, PerfWatson2.exe, chrome_setup.zip, MyAppDomainManager.dll, and the scheduled task name GoogleUpdaterTaskSystem140.0.7272.0.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CL-STA-1062 employs a hybrid toolkit, combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor named TinyRCT. TinyRCT, a lightweight C# backdoor, allows for arbitrary command execution, file exfiltration, screenshot capture, and self-deletion, with its code containing a simplified Chinese string indicating its origin.
CL-STA-1062 employs a hybrid toolkit, combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor named TinyRCT. TinyRCT, a lightweight C# backdoor, allows for arbitrary command execution, file exfiltration, screenshot capture, and self-deletion, with its code containing a simplified Chinese string indicating its origin.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniques
Execution
...and registers a scheduled task to keep the infection alive across system reboots.
creates a scheduled task named GoogleUpdaterTaskSystem140.0.7272.0 set to run at the highest available privileges on every user login
TinyRCT, a lightweight C# backdoor, allows for arbitrary command execution...
It’s a lightweight C# backdoor that runs arbitrary commands via cmd.exe
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
The attackers then establish persistence using VPNs and other tools disguised as legitimate system processes.
TinyRCT, a lightweight C# backdoor, allows for arbitrary command execution, file exfiltration, screenshot capture, and self-deletion...
...while taking steps to avoid running in sandboxed environments.
Upon execution, the malware performs an environment validation to explicitly verify that it was executed from %LOCALAPPDATA% . If the malware was executed from any other location – such as a sandbox environment or a malware analyst’s desktop – the binary terminates immediately.
Discovery
6 techniques
Discovery
Host Fingerprinting and Registration Before entering its main command loop, TinyRCT conducts initial reconnaissance to fingerprint the infected host... collecting the following data points: ... Local IP addresses
TinyRCT conducts initial reconnaissance to fingerprint the infected host... collecting the following data points: User and system context: Current username, machine name and OS version.
TinyRCT ... enables system reconnaissance, command execution, file uploads, screenshot capture, remote control...
enumerates directories and files, reads and exfiltrates files
...while taking steps to avoid running in sandboxed environments.
Upon execution, the malware performs an environment validation to explicitly verify that it was executed from %LOCALAPPDATA% . If the malware was executed from any other location – such as a sandbox environment or a malware analyst’s desktop – the binary terminates immediately.
Collection
1 technique
Collection
IOCs tracked for this family
19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A lightweight C# backdoor used for persistent access, arbitrary command execution, file exfiltration, screenshot capture, and self-deletion. It uses hardcoded C2 addresses and AES-128 CBC encryption, and is delivered via a malicious DLL disguised inside a legitimate-looking application installer.
A bespoke lightweight C# backdoor used by CL-STA-1062 for long-term, low-visibility persistence. It executes arbitrary commands, performs file and directory enumeration, exfiltrates files in encrypted chunks, captures screenshots, downloads files, creates persistence via a scheduled task, and can self-delete.
Custom .NET backdoor / remote access trojan used in attacks against Southeast Asian government and critical infrastructure targets. It supports arbitrary command execution, system and file reconnaissance, file upload and exfiltration, screenshot capture, remote control, self-deletion, sandbox evasion, and HTTP beaconing with AES-128-CBC encrypted communications.
A custom Windows remote access trojan/backdoor written in C#. It is delivered via chrome_setup.zip using AppDomainManager Injection, checks execution context to evade sandboxing, downloads its payload as PerfWatson2.exe, establishes persistence via a scheduled task, beacons to C2 every ten seconds using AES-128-encrypted traffic, and supports shell command execution, file listing/reading, payload download, screenshot capture, and self-deletion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.