The malware erases itself before any forensic team can reach it. Between October and December 2025, at least ten state-owned energy and government organizations across Southeast Asia were compromised. The toolkit includes Mimikatz (a credential-harvesting utility), JuicyPotato, SoftEther VPN, ASPX web shells, and a Simplified Chinese string in the source code, all consistent with documented Chinese-nexus tradecraft, which Unit 42 is careful not to equate with Chinese state direction. That carefulness is not evasion. It is a legal and evidentiary standard: you do not assert state sponsorship without evidence that holds up. For compliance officers, the distinction carries a concrete cost. You cannot write a scenario-testing playbook against a threat you are formally required to treat as unattributed. The stress test names the tool. The board report names no sponsor. The compliance officer writes both documents.
The HKMA (Hong Kong Monetary Authority) and SFC (Securities and Futures Commission) issued coordinated circulars on June 2 requiring authorized institutions to assess multi-layered defenses, implement Secure Tertiary Data Backup, and stress-test third-party cyber resilience against what the circulars describe as 'AI-enabled' threats. That framing accurately captures how frontier models lower the cost of initial access and accelerate lateral movement. It stops well short of naming any actor or any campaign. Hong Kong recorded 15,877 cyber incidents in 2025, up 27 percent from 12,536 in 2024, per HKMA's own citation of HKCERT data. The HKMA's new Cyber Resilience Testing Framework will run its first tests against selected institutions in late 2026, meaning the first compliance officer to sit across from an examiner and explain a TinyRCT-style intrusion will do so under a framework designed without a named specimen to build against. TinyRCT's self-destruct mechanism is specifically engineered to defeat the post-incident forensic review that a resilience framework depends on. The circulars describe the class of adversary. The HKMA's first examinations run against selected institutions in late 2026. The Unit 42 report naming TinyRCT was published June 2025. The framework will arrive after the specimen, and without its name.
The HKMA circulars were issued June 2. The Unit 42 report was published the same month. Neither cites the other. When the first resilience examiner sits down with a Hong Kong institution in late 2026, the institution will present a scenario built around an anonymized actor class. TinyRCT's cmd.exe delay chain deleted the forensic record before the response team arrived. A framework built on unnamed categories does the same thing to the board paper: the specific adversary is gone before anyone has to explain why it was not anticipated.