A previously undocumented cyber espionage group operating from Asia is believed to have breached 70 government and critical infrastructure entities across 37 countries over the past year, according to Palo Alto Networks Unit 42. The findings also note active reconnaissance against government infrastructure across 155 countries between November and December 2025.
Among those compromised were five national-level law enforcement or border control entities, three ministries of finance, and other government departments aligned with economic, trade, natural resources and diplomatic functions. The group, tracked under the moniker TGR-STA-1030, has been active since January 2024 and is assessed to be of Asian origin.
Attacks reportedly begin with phishing emails pointing to a MEGA-hosted ZIP containing Diaoyu Loader, with a PNG integrity check that triggers the malware only if a specific file is present and certain security tools are detected, before fetching a Cobalt Strike payload from a GitHub repository.
Unit 42 also notes ongoing attempts to exploit various N-day vulnerabilities across multiple vendors to gain initial access, and that the group routinely leases C2 and other infrastructure from legitimate VPS providers to relay traffic.