Full Report
A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42. In addition, the hacking crew has been observed conducting active reconnaissance against government infrastructure associated with 155
Analysis Summary
# Threat Actor: TGR-STA-1030
## Attribution & Identity
**Identification:** Previously undocumented cyber espionage group, tracked by Palo Alto Networks Unit 42 under the moniker **TGR-STA-1030** ("TGR" for temporary threat group, "STA" for state-backed motivation).
**Origin/Affiliation:** Assessed to be of **Asian origin**. Attribution remains unclear, but supporting evidence includes use of regional tooling/services, language setting preferences, and operating hours consistent with GMT+8.
**Known Aliases/Associated Groups:** None explicitly mentioned, though the research originates from Palo Alto Networks Unit 42 findings.
## Activity Summary
**Historical Activities:** Active since at least January 2024.
**Recent Campaigns:** Over the past year (leading up to the report), the group successfully breached the networks of at least **70 government and critical infrastructure organizations** across 37 countries. Additionally, between November and December 2025, the group conducted active reconnaissance against government infrastructure associated with 155 countries.
**Motivation/Objectives:** Cyber espionage, implied by the state-backed designation and targeting profile.
## Tactics, Techniques & Procedures
* **Initial Access (Phishing):** Leveraged phishing emails directing recipients to a New Zealand-based file hosting service (MEGA) containing a ZIP archive.
* **Initial Access (Exploitation):** Attempted to exploit various **N-day vulnerabilities** impacting software from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System. No zero-day exploitation observed.
* **Execution Guardrails (Anti-Analysis):** The primary malware, **Diaoyu Loader**, employed dual-stage execution guardrails:
1. Hardware check for screen resolution $\ge$ 1440.
2. Environmental check for the presence of a specific zero-byte file ("pic1.png") in the execution directory, which acts as a file-based integrity check.
3. Checks for the presence of specific endpoint security products (Avira, Bitdefender, Kaspersky, SentinelOne, Symantec).
* **Staging/Payload Delivery:** After bypassing checks, the loader downloads three image files ("admin-bar-sprite.png," "Linux.jpg," and "Windows.jpg") from a specific, now-removed GitHub repository (`github[.]com/padeqav`) to deploy a Cobalt Strike payload.
* **Post-Exploitation:** Use of C2 frameworks, web shells, and tunneling utilities.
## Targeting
* **Sectors:** Government and Critical Infrastructure. Specific compromised entities include five national-level law enforcement/border control entities, three ministries of finance, and various departments related to economic, trade, natural resources, and diplomatic functions.
* **Geography:** Compromised organizations across **37 countries**. Active reconnaissance observed against infrastructure in **155 countries**.
* **Victims:** At least 70 government and critical infrastructure organizations (specific names not detailed in the summary).
## Tools & Infrastructure
* **Malware/Loaders:** Diaoyu Loader.
* **C2 Frameworks:** Cobalt Strike, VShell, Havoc, Sliver, SparkRAT.
* **Web Shells:** Behinder, neo-ReGeorg, Godzilla.
* **Tunnelers:** GO Simple Tunnel (GOST), Fast Reverse Proxy.
* **Infrastructure:** Used a New Zealand-based file hosting service (MEGA) for initial access staging. Deployed payloads via image files downloaded from a GitHub repository (`github[.]com/padeqav`).
## Implications
TGR-STA-1030 represents a persistent, state-backed threat actor focusing on high-value government and critical infrastructure targets globally. Their use of sophisticated anti-analysis techniques within the loader stage suggests a mature operational security posture designed to evade automated detection. The consistent targeting across diplomatic, economic, and security sectors indicates intelligence gathering aligned with national strategic interests.
## Mitigations
* Enhance email security defenses against links pointing to public cloud/file-hosting services (like MEGA).
* Maintain proactive patching cycles, especially for publicly exposed software from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System, to defend against N-day exploitation.
* Implement strict host-based security monitoring to detect suspicious execution chains involving the checks used by Diaoyu Loader (screen resolution checks, integrity file checks, presence of specific AV processes).
* Monitor for indicators related to the deployment of loaders communicating with GitHub repositories for secret payload retrieval.
* Deploy robust network detection to identify post-exploitation activity utilizing common C2 frameworks like Cobalt Strike, Havoc, and Sliver, as well as tunneling software (GOST).