TinyRCT

The task is configured to run the malware with the highest available privileges (e.g., /rl highest ) every time the user logs on to the system (e.g., /sc onlogon ). This ensures that the infection survives system reboots.

These web shells function as the central mechanism for executing arbitrary commands, dropping additional tooling and conducting initial reconnaissance.

This specific combination of files is used to perform AppDomainManager Injection – a technique that exploits the trust relationship between a .NET application and its configuration file.

The task is configured to run the malware with the highest available privileges (e.g., /rl highest ) every time the user logs on to the system (e.g., /sc onlogon ). This ensures that the infection survives system reboots.

The task is configured to run the malware with the highest available privileges (e.g., /rl highest ) every time the user logs on to the system (e.g., /sc onlogon ). This ensures that the infection survives system reboots.

These tools were often disguised as legitimate system files, such as VMware executables or an XDR agent.

Upon receiving the self-destruct command, the malware first deletes the GoogleUpdater scheduled task created by the loader. It then executes a self-deletion routine

Upon execution, the malware performs an environment validation to explicitly verify that it was executed from %LOCALAPPDATA% . If the malware was executed from any other location – such as a sandbox environment or a malware analyst’s desktop – the binary terminates immediately.

This specific combination of files is used to perform AppDomainManager Injection – a technique that exploits the trust relationship between a .NET application and its configuration file.

Host Fingerprinting and Registration Before entering its main command loop, TinyRCT conducts initial reconnaissance to fingerprint the infected host... collecting the following data points: ... Local IP addresses

TinyRCT conducts initial reconnaissance to fingerprint the infected host... collecting the following data points: User and system context: Current username, machine name and OS version.

As part of our observations of CL-STA-1062, we noted activity sending the results of network and system enumeration directly to an actor-controlled IP address using curl.

File listing: Enumerates directories and files in the specified path. Returns format: Filename*Date*Size .

Upon execution, the malware performs an environment validation to explicitly verify that it was executed from %LOCALAPPDATA% . If the malware was executed from any other location – such as a sandbox environment or a malware analyst’s desktop – the binary terminates immediately.

Screen capture: Captures the primary screen, saves the capture as a JPEG file, compresses it, encrypts it and sends it to the C2.

The malware uses standard HTTP for network traffic... It polls the C2 server for instructions using GET requests, while it sends exfiltrated data via POST requests.

These requests connected to attacker-controlled infrastructure and resulted in the victim networks downloading malicious payloads that included SoftEther VPN components and RAR archives containing the group's tools.

The malware uses standard HTTP for network traffic... It polls the C2 server for instructions using GET requests, while it sends exfiltrated data via POST requests.