CL-STA-1062 Deploys TinyRCT .NET Backdoor via AppDomainManager Injection Against 10+ Southeast Asian Energy and Government Entities

CL-STA-1062 operators compromised Southeast Asian state-owned energy firms and government networks using ASPX web shells for initial access, followed by SoftEther VPN, Mimikatz, Yuze SOCKS5, and VNT VPN tools staged as vmtools.exe or XDRAgent.exe. In one September 2025 intrusion they exfiltrated an entire MS SQL web server source code directory after network reconnaissance across two entities in the same country. TinyRCT adds command execution, screenshot capture, file enumeration, and sandbox evasion not previously observed in this cluster. The activity overlaps with UAT-7237 operations against Taiwanese web infrastructure first reported by Talos in August 2025, extending documented CL-STA-1062 focus on East and Southeast Asia since March 2022. Contract awards and procurement records show consistent Chinese state interest in regional energy telemetry and SCADA-adjacent systems, matching the victim profile. Independent infrastructure pivots confirm the 139.180.134[.]221 downloader and 45.32.113[.]172 C2 were active only during the October-December window, contradicting broader attribution claims that lack packet-level or code-reuse evidence. The hybrid toolkit pattern indicates sustained resource allocation rather than ad-hoc operations. Expect continued use of low-detection .NET loaders against additional ASEAN critical infrastructure entities through mid-2026 as US-China technology controls tighten export scrutiny on regional grids.