Unit 42 has attributed a multi-year espionage campaign (CL-STA-1062 / UAT-7237) to Chinese-nexus threat actors who compromised at least ten Southeast Asian government and critical energy infrastructure organizations in 2025. The campaign deployed TinyRCT, a .NET backdoor masquerading as VMware executables and a Palo Alto Networks XDR agent, using SoftEther VPN tunneling and AppDomainManager injection for persistence. Organizations in Southeast Asian government and critical energy sectors, and any organization with Cortex XDR or VMware deployed, should validate that agent executables in their environments are authentic.