Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

Large-Scale Government Espionage Campaign Uncovered

A previously undocumented cyber espionage group operating from Asia has breached networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to findings from Palo Alto Networks Unit 42.

The threat actor, tracked as TGR-STA-1030 (where "TGR" stands for temporary threat group and "STA" denotes state-backed motivation), has been active since January 2024. The group was also observed conducting reconnaissance against government infrastructure associated with 155 countries between November and December 2025.

High-Value Targets Compromised

Successfully compromised entities include:
- Five national-level law enforcement and border control agencies
- Three ministries of finance
- Multiple government departments aligned with economic, trade, natural resources, and diplomatic functions

Attribution and Operations

While the exact country of origin remains unclear, assessments indicate Asian origin based on:
- Regional tooling and services usage
- Language setting preferences
- Targeting patterns consistent with regional interests and intelligence priorities
- GMT+8 operating hours

Pete Renals, director of National Security Programs for Unit 42, confirmed that the threat actor successfully accessed and exfiltrated sensitive data from victim email servers, including financial negotiations, contracts, banking information, and military operational updates.

Attack Methodology

Initial compromise vectors utilize phishing emails directing recipients to malicious ZIP archives hosted on New Zealand-based file hosting service MEGA. Archives contain the Diaoyu Loader executable and integrity-check files.

The loader employs dual-stage execution guardrails to evade sandbox analysis, including screen resolution checks (1440 pixels horizontally) and file-based integrity verification. It also performs checks for specific security products including Avira, Bitdefender, Kaspersky, SentinelOne, and Symantec before deploying Cobalt Strike payloads.

Known Exploitation Tactics

TGR-STA-1030 exploits N-day vulnerabilities in software from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System. No evidence indicates development or deployment of zero-day exploits.

C2 frameworks and tools employed: - Cobalt Strike, VShell, Havoc, Sliver, and SparkRAT
- Web shells including Behinder, neo-reGeorg, and Godzilla
- Tunneling utilities: GOST, FRPS, and IOX
- Linux kernel rootkit ShadowGuard utilizing eBPF technology for process concealment

Extended Network Access

TGR-STA-1030 routinely leases and configures C2 servers on legitimate VPS provider infrastructure, using additional VPS infrastructure for traffic relaying. The group maintained access to several victim entities for months, indicating coordinated intelligence collection campaigns.

Threat Landscape Implications

Unit 42 assessed that TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide, prioritizing targets among countries establishing or exploring specific economic partnerships. The group's methods, targeting scope, and operational scale present significant implications for national security and critical service protection globally.

Source: The Hacker News