ACCORDING to Unit 42, the Shadow Campaigns investigation tracks a new cyberespionage group named TGR-STA-1030, a state-aligned actor operating out of Asia. Over the past year this group has compromised government and critical infrastructure organisations across 37 countries, affecting at least 70 entities, with impact spanning ministries, departments and law-enforcement bodies such as five national-level law enforcement/border control entities and three ministries of finance.
From November to December 2025 the group conducted active reconnaissance against government infrastructure across 155 countries, and its campaigns have targeted regions with economic partnerships the group appears to be tracking. Phishing campaigns identified in February 2025 targeted European governments, including a cluster focused on European ministries, with a Diaoyu Loader malware variant that ultimately installs a Cobalt Strike payload after a multi-stage execution and environment checks.
The group has also deployed a Linux kernel rootkit, ShadowGuard (SHA-256 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d), described as providing kernel-level concealment and process/file hiding capabilities.