A previously undocumented cyber espionage group operating from Asia has breached at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new research from Palo Alto Networks’ Unit 42.
The list of victims affected by the activity, tracked as TGR-STA-1030, includes national law enforcement and border control agencies, ministries of finance, and government bodies linked to trade, natural resources, and diplomacy. Unit 42 also observed the group conducting reconnaissance against government infrastructure linked to 155 countries between November and December 2025. Evidence suggests the threat actor has been active since at least January 2024.
While the group’s exact origin is still unknown, it is thought to be Asia-based, given the use of regional tools and services, language settings, targeting patterns aligned with regional geopolitical interests, and operations largely occurring during GMT+8 working hours.
The threat actor gains initial access through phishing emails that deliver malicious ZIP files hosted on MEGA, containing a custom loader known as Diaoyu Loader.
The malware uses multiple evasion techniques to avoid detection, including environment checks designed to bypass automated sandbox analysis and selective scans for specific security products. Once deployed, the loader retrieves additional payloads from a GitHub repository to ultimately install Cobalt Strike. The group has also exploited known vulnerabilities in widely used software from vendors such as Microsoft, SAP, Atlassian, and others, though there is no evidence of zero-day exploits.
According to Unit 42, TGR-STA-1030 relies on an extensive toolkit of command-and-control (C&C) frameworks, web shells, tunneling utilities, and a Linux kernel rootkit dubbed ShadowGuard to maintain long-term access. In several cases, the attackers remained inside victim networks for months.