State-aligned cyber group TGR-STA-1030 compromised 70+ organizations across 37 countries, including government ministries, police, and critical infrastructure, using phishing and exploiting known vulnerabilities.
A state-aligned cyber group in Asia has compromised government and critical infrastructure organizations across 37 countries in an ongoing espionage campaign, according to security researchers at Palo Alto Networks' Unit 42. The group, tracked as TGR-STA-1030, successfully breached at least 70 organizations and maintained access to several for months, raising serious concerns about national security and key services.
Scope and Targets
The espionage campaign demonstrates both breadth and depth in its targeting. The spies successfully infiltrated five national police or border control entities, one nation's parliament, a senior elected official, and national telecommunications companies. Additionally, they broke into systems belonging to three ministries of finance and other government agencies.
"While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services," Unit 42 researchers stated in their report published Wednesday.
Data Exfiltration
Palo Alto Networks confirmed that the threat actor successfully accessed and exfiltrated sensitive data from victim email servers. According to Pete Renals, Unit 42 Director of National Security Programs, the stolen data included:
- Financial negotiations and contracts
- Banking and account information
- Critical military-related operational updates
Reconnaissance Activities
The group's activities extend beyond initial compromises. Unit 42 observed the spies conducting "active reconnaissance" against 155 governments across the Americas, Europe, Asia, and Africa between November and December 2025. The researchers documented a "concerted focus" on Germany in July 2025, during which the group initiated connections to over 490 IP addresses hosting government infrastructure.
While specific reconnaissance targets in the US were not disclosed, Renals noted that "more broadly across the board, we saw the actor routinely focus on ministries of finance, economy, defense, foreign affairs and commerce."
Attack Methods
The cyberspies employ multiple techniques to gain initial access:
- Phishing emails with geopolitical lures
- Exploitation of known vulnerabilities in Microsoft Exchange, SAP, and Atlassian products
- Use of malicious files hosted on cloud storage services
In February 2025, Unit 42 spotted phishing campaigns targeting European governments using lures related to ministry or department reorganization. One Estonian government entity observed this campaign and uploaded a related ZIP archive to VirusTotal's malware repository. The Estonian filename translates to "Changes to the organizational structure of the Police and Border Guard Board."
The archive contained a malware loader named "DiaoYu.exe," which translates to "fishing" - or phishing in this context. Notably, while most loaders check for dozens of antivirus products, this one only checks for five: Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec. This minimal code footprint could help the malware avoid detection by security filters.
ShadowGuard Rootkit
Perhaps most concerning is the discovery of a new Linux kernel rootkit called ShadowGuard, believed to be unique to this nation-state group. This stealthy Extended Berkeley Packet Filter (eBPF) backdoor operates at the kernel level, hiding process information, directories, and files. This makes it extremely difficult to detect and represents a significant advancement in espionage capabilities.
Geopolitical Targeting
The group demonstrates sophisticated awareness of geopolitical events, using them to craft targeted campaigns:
- During the US government shutdown that began in October 2025, the spies scanned government infrastructure across North, Central, and South America
- Following Czech President Petr Pavel's private meeting with the Dalai Lama in August 2025, the group began scanning Czech infrastructure across the army, police, parliament, and ministries of interior, finance, and foreign affairs
- After the January 3 capture of Venezuelan President Nicolás Maduro and his wife by American military forces, the spies conducted "extensive reconnaissance activities targeting at least 140 government-owned IP addresses"
Official Response
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed awareness of the hacking group identified as TGR-STA-1030. "We are working with our government, industry, and international partners to rapidly detect and mitigate any exploitation of the vulnerabilities identified in the report," a CISA spokesperson told The Register.
The FBI did not respond to requests for comment.
Ongoing Threat
Unit 42 researchers emphasize that this new nation-state group "remains an active threat to government and critical infrastructure worldwide." The combination of sophisticated malware, geopolitical awareness, and persistent access to sensitive systems presents a significant challenge for cybersecurity professionals and national security agencies.
This campaign underscores the evolving nature of state-sponsored cyber espionage and the need for robust defensive measures across government and critical infrastructure sectors worldwide.
Comments
Please log in or register to join the discussion