CL-STA-1062, a Chinese-speaking threat cluster assessed to be the same as UAT-7237, has compromised Southeast Asian government and critical energy infrastructure entities throughout 2025 using web shell deployment, MSSQL data exfiltration, and open-source tunneling tools (SoftEther VPN, VNT, yuze). The group has introduced TinyRCT, a previously undocumented .NET backdoor delivered via AppDomainManager Injection (malicious chrome_setup.zip), which uses AES-CBC encrypted HTTP C2, sandbox-evasion path checks, scheduled-task persistence disguised as legitimate updater services, and a self-destruct routine using choice.exe for anti-forensic file deletion.