A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42.
In addition, the hacking crew has been observed conducting active reconnaissance against government infrastructure associated with 155 countries between November and December 2025. Some of the entities that have been successfully compromised include five national-level law enforcement/border control entities, three ministries of finance and other government ministries, and departments that align with economic, trade, natural resources, and diplomatic functions.
The activity is being tracked by the cybersecurity company under the moniker TGR-STA-1030, where “TGR” stands for temporary threat group and “STA” refers to state-backed motivation. Evidence shows that the threat actor has been active since January 2024.
While the hackers’ country of origin remains unclear, they are assessed to be of Asian origin, given the use of regional tooling and services, language setting preferences, targeting that’s consistent with events and intelligence of interest to the region, and its GMT+8 operating hours.
Pete Renals, director of National Security Programs for Unit 42 at Palo Alto Networks, told The Hacker News over email that “the threat actor successfully accessed and exfiltrated sensitive data from victim email servers.” The siphoned information included financial negotiations and contracts, banking and account information, and critical military-related operational updates.
Attack chains have been found to leverage phishing emails as a starting point to trick recipients into clicking on a link pointing to New Zealand-based file hosting service MEGA. The link hosts a ZIP archive that contains an executable dubbed Diaoyu Loader and a zero-byte file named “pic1.png.”
“The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis,” Unit 42 said. “Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory.”
The PNG image acts as a file-based integrity check that causes the malware artifact to terminate before unleashing its nefarious behavior in the event it’s not present in the same location. It’s only after this condition is satisfied that the malware checks for the presence of specific cybersecurity programs from Avira (“SentryEye.exe”), Bitdefender (“EPSecurityService.exe”), Kaspersky (“Avp.exe”), Sentinel One (“SentinelUI.exe”), and Symantec (“NortonSecurity.exe”).
 |
| Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025 |
It’s currently not known why the threat actors have opted to look for only a narrow selection of products. The end goal of the loader is to download three images (“admin-bar-sprite.png,” “Linux.jpg,” and “Windows.jpg”) from a GitHub repository named “WordPress,” which serve as a conduit for the deployment of a Cobalt Strike payload. The associated GitHub account (“github[.]com/padeqav”) is no longer available.
TGR-STA-1030 has also been observed attempting to exploit various kinds of N-day vulnerabilities impacting a large number of software products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System to gain initial access to target networks. There is no evidence indicating the group has developed or leveraged any zero-day exploit in their attacks.
Among the tools put to use by the threat actor are command-and-control (C2) frameworks, web shells, and tunneling utilities –
It’s worth noting that the use of the aforementioned web shells is frequently linked to Chinese hacking groups. Another tool of note is a Linux kernel rootkit codenamed ShadowGuard that utilizes the Extended Berkeley Packet Filter (eBPF) technology to conceal process information details, intercept critical system calls to hide specific processes from user-space analysis tools like ps, and conceal directories and files named “swsecret.”
“The group routinely leases and configures its C2 servers on infrastructure owned by a variety of legitimate and commonly known VPS providers,” Unit 42 said. “To connect to the C2 infrastructure, the group leases additional VPS infrastructure that it uses to relay traffic through.”
The cybersecurity vendor said the adversary managed to maintain access to several of the impacted entities for months, indicating efforts to collect intelligence over extended periods of time.
“TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide. The group primarily targets government ministries and departments for espionage purposes,” it concluded. “We assess that it prioritizes efforts against countries that have established or are exploring certain economic partnerships.”
“While this group might be pursuing espionage objectives, its methods, targets, and scale of operations are alarming, with potential long-term consequences for national security and key services.”
