CL-STA-1062, a Chinese-speaking threat cluster, has conducted sustained espionage against Southeast Asian critical infrastructure and government entities since 2022, deploying the TinyRCT .NET backdoor via AppDomainManager injection. The campaign exploits no disclosed CVEs; it relies on DLL search order hijacking, masquerading as VMware and Chrome binaries, and SoftEther VPN C2 tunneling. At least 10 organizations were confirmed breached October-December 2025.