A previously undocumented, Asia-linked cyber-espionage group has breached at least 70 government and critical infrastructure organizations across 37 countries, according to new research from Palo Alto Networks Unit 42. The activity, tracked as TGR-STA-1030, has been ongoing since January 2024 and includes reconnaissance targeting government infrastructure in 155 countries during late 2025.
Investigators say the group focuses heavily on national-level government entities, including law enforcement, border control agencies, finance ministries, and departments tied to trade, diplomacy, and natural resources. While the operators’ exact origin remains unconfirmed, technical indicators: tooling choices, targeting patterns, language settings, and GMT+8 working hours point to an Asian state-backed threat actor.
Initial access is commonly achieved through phishing emails that direct victims to ZIP files hosted on MEGA. These files deploy a custom loader known as Diaoyu Loader, which uses anti-analysis checks before downloading image files from a GitHub repository to ultimately deliver a Cobalt Strike payload.
Unit 42 also observed the group exploiting known (N-day) vulnerabilities in products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou, alongside extensive use of web shells, tunneling tools, and C2 frameworks. In several cases, attackers maintained long-term access for months, underscoring a sustained espionage campaign with potential national security implications.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
