Chinese Threat Actor UAT-7237 Targets Southeast Asian Governments and Energy Infrastructure with TinyRCT Backdoor
Palo Alto Networks' Unit 42 has linked its tracked cluster CL-STA-1062 to UAT-7237, a Chinese threat actor previously identified by Cisco Talos. Active since at least March 2022, the group has expanded its operations into Southeast Asian government agencies, energy sectors, and state-owned enterprises in 2025, deploying a backdoor malware known as TinyRCT.
Highlights
- Palo Alto Networks Unit 42 confirmed that its tracked cluster CL-STA-1062 is the same threat actor as UAT-7237, previously identified by Cisco Talos.
- UAT-7237 has been active since at least March 2022, initially targeting Taiwan-based web hosting infrastructure.
- In 2025, the group expanded operations to Southeast Asian government agencies, energy companies, and state-owned enterprises.
- The threat actor deploys a backdoor malware called TinyRCT to maintain persistent remote access to compromised critical infrastructure networks.
- Attribution is reinforced by independent findings from both Unit 42 and Cisco Talos, pointing to a single, organized Chinese cyber-espionage actor.
Chinese Threat Actor UAT-7237 Expands Campaign to Southeast Asia with TinyRCT Backdoor
Palo Alto Networks' threat intelligence team, Unit 42, has confirmed that a Chinese cyber-espionage campaign it tracks as CL-STA-1062 is attributed to the same threat actor that Cisco's Talos intelligence group previously identified as UAT-7237.
According to Unit 42 researchers, the group has been active since at least March 2022, initially targeting Taiwan-based web hosting infrastructure. In 2025, the threat actor significantly broadened its scope, shifting focus toward Southeast Asian government agencies, energy sector organizations, and state-owned enterprises.
As part of its intrusion operations, the group has been deploying a backdoor malware designated TinyRCT, which enables persistent remote access to compromised systems. The backdoor is considered a key tool in the group's post-exploitation arsenal, allowing operators to maintain stealthy, long-term access to critical networks.
A Coordinated Attribution
The convergence of findings from both Unit 42 and Cisco Talos reinforces confidence in the attribution of these campaigns to a single, organized Chinese threat actor. The linking of CL-STA-1062 and UAT-7237 underscores the continuity of this group's operations across multiple years and geographic targets.
Critical Infrastructure at Risk
The shift toward Southeast Asian energy infrastructure and government networks reflects a broader trend of Chinese state-affiliated cyber actors targeting critical infrastructure in the Asia-Pacific region. Energy grids, government communication systems, and state-owned enterprises represent high-value intelligence targets, consistent with strategic geopolitical interests.
Security researchers and affected organizations are urged to review indicators of compromise (IOCs) associated with UAT-7237/CL-STA-1062 and assess exposure to TinyRCT-related intrusion activity.
Source: Palo Alto Networks Unit 42 / Cisco Talos
原文來源: 查看原文
FAQ
Newsletter
Subscribe to our Low-Altitude Industry Newsletter
Daily curated news on low-altitude economy and drone industry, delivered to your inbox.
