New research from Palo Alto Networks Unit 42 reveals that a previously undocumented cyber espionage group based in Asia has infiltrated the networks of at least 70 governments and critical infrastructure organizations in 37 countries over the past year.
Additionally, Hacking Team was observed conducting active reconnaissance on government infrastructure associated with 155 countries between November and December 2025. Among the organizations successfully compromised are five national law enforcement/border control agencies, three ministries of finance and other government ministries, departments working with economics, trade, natural resources, and foreign affairs functions.
This activity is being tracked by a cybersecurity firm under the designation TGR-STA-1030. “TGR” stands for Temporary Threat Group and “STA” refers to State-Sponsored Motives. Evidence suggests this actor has been active since January 2024.
The country of origin of the hackers remains unknown, but we believe they are from Asia, given their use of regional tools and services, language preferences, targeting consistent with events and information of interest in the region, and GMT+8 business hours.
The attack chain was found to use a phishing email as a starting point to trick recipients into clicking on a link pointing to New Zealand-based file hosting service MEGA. This link hosts a ZIP archive containing an executable called Diaoyu Loader and a zero-byte file named “pic1.png”.
“The malware employs two-step execution guardrails to thwart automated sandbox analysis,” Unit 42 said. “Beyond the hardware requirement for a horizontal screen resolution of 1440 or higher, the sample performs an environment dependency check for a specific file (pic1.png) in the execution directory.”
The PNG image acts as a file-based integrity check, terminating malware artifacts before they begin their malicious behavior if they are not co-located. Only when this condition is met, the malware checks for the presence of certain cybersecurity programs from Avira (‘SentryEye.exe’), Bitdefender (‘EPSecurityService.exe’), Kaspersky (‘Avp.exe’), Sentinel One (‘SentinelUI.exe’), and Symantec (‘NortonSecurity.exe’).
Countries targeted for TGR-STA-1030 reconnaissance from November to December 2025
At this time, it is unclear why the attackers chose to look for only a limited number of products. The loader’s final goal is to download three images (‘admin-bar-sprite.png’, ‘Linux.jpg’, and ‘Windows.jpg’) from a GitHub repository named ‘WordPress’. These images serve as conduits for the deployment of Cobalt Strike payloads. The associated GitHub account (“github[.]com/padeqav”) is no longer available.
TGR-STA-1030 has also been observed attempting to gain initial access to target networks by exploiting various types of N-day vulnerabilities affecting numerous software products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System. There is no evidence that this group developed or utilized zero-day exploits in their attacks.
Tools used by threat actors include command and control (C2) frameworks, web shells, and tunneling utilities.
It is worth noting that the use of the aforementioned web shells is frequently associated with Chinese hacker groups. Another notable tool is a Linux kernel rootkit codenamed ShadowGuard. It utilizes Extended Berkeley Packet Filter (eBPF) technology to hide detailed process information, intercept sensitive system calls to hide specific processes from user-space analysis tools such as ps, and hide directories and files named “swsecret”.
“The group regularly leases and configures C2 servers on infrastructure owned by a variety of legitimate and commonly known VPS providers,” Unit 42 said. “To connect to the C2 infrastructure, the group leases additional VPS infrastructure that is used to relay traffic.”
Cybersecurity vendors said the attackers were able to maintain access to some of the affected entities for several months, indicating they were working to gather information over an extended period of time.
“TGR-STA-1030 remains an active threat to governments and critical infrastructure around the world. The group primarily targets government ministries and departments for espionage purposes.” “We assess that we are prioritizing efforts with countries that have established or are seeking specific economic partnerships.”
“While this group may be pursuing espionage objectives, its methods, targets, and scale of operations are alarming and could have long-term implications for national security and key services.”
Source link
