Asian Cyber Espionage Group TGR-STA-1030 Infiltrates 70 Government and Infrastructure Entities Across 37 Nations
A previously unidentified cyber espionage group, designated TGR-STA-1030, has successfully infiltrated the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to recent findings from Palo Alto Networks’ Unit 42. This group has also conducted reconnaissance activities targeting government infrastructures in 155 countries between November and December 2025.
Scope and Targets
The compromised entities include five national-level law enforcement and border control agencies, three ministries of finance, and various other government departments involved in economic, trade, natural resources, and diplomatic functions. The group’s activities have been traced back to January 2024.
Attribution and Origin
While the exact country of origin remains uncertain, several indicators suggest an Asian provenance:
– Regional Tools and Services: The group utilizes tools and services commonly associated with Asian cyber operations.
– Language Preferences: Settings and preferences align with languages prevalent in the region.
– Target Selection: The group’s focus corresponds with events and intelligence interests pertinent to Asia.
– Operational Hours: Activities are conducted during GMT+8 time zones, aligning with standard working hours in many Asian countries.
Attack Methodology
TGR-STA-1030 employs sophisticated attack chains, primarily initiating breaches through phishing emails. These emails contain links to the New Zealand-based file hosting service MEGA, leading recipients to download a ZIP archive. This archive includes an executable known as Diaoyu Loader and a zero-byte file named pic1.png.
Evasion Techniques
The malware incorporates advanced evasion strategies to bypass automated sandbox analyses:
– Execution Guardrails: The malware checks for a horizontal screen resolution of at least 1440 pixels.
– Environmental Dependencies: It verifies the presence of the pic1.png file in its execution directory.
If these conditions are unmet, the malware terminates, preventing detection. Upon satisfying these checks, it scans for specific cybersecurity programs from vendors like Avira, Bitdefender, Kaspersky, Sentinel One, and Symantec. The rationale behind targeting this particular set of products remains unclear.
Payload Deployment
Once operational, the Diaoyu Loader downloads three images—admin-bar-sprite.png, Linux.jpg, and Windows.jpg—from a GitHub repository named WordPress. These images facilitate the deployment of a Cobalt Strike payload. Notably, the associated GitHub account (github[.]com/padeqav) has been deactivated.
Exploitation of Vulnerabilities
TGR-STA-1030 has been observed attempting to exploit various N-day vulnerabilities in software products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System to gain initial access to target networks. There is no evidence indicating the group has developed or leveraged any zero-day exploits in their attacks.
Toolset and Infrastructure
The group’s arsenal includes a range of command-and-control (C2) frameworks, web shells, and tunneling utilities:
– C2 Frameworks: Cobalt Strike, VShell, Havoc, Sliver, and SparkRAT.
– Web Shells: Behinder, neo-reGeorg, and Godzilla.
– Tunnelers: GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.
The use of these web shells is frequently linked to Chinese hacking groups. Additionally, the group employs a Linux kernel rootkit named ShadowGuard, which utilizes Extended Berkeley Packet Filter (eBPF) technology to conceal process information, intercept critical system calls, and hide specific processes from user-space analysis tools like ps. It also conceals directories and files named swsecret.
Infrastructure Management
TGR-STA-1030 routinely leases and configures its C2 servers on infrastructure owned by various legitimate and commonly known Virtual Private Server (VPS) providers. To connect to the C2 infrastructure, the group leases additional VPS infrastructure to relay traffic through.
Persistence and Objectives
The group has managed to maintain access to several impacted entities for extended periods, indicating efforts to collect intelligence over time. Their primary targets are government ministries and departments, suggesting a focus on espionage. The group appears to prioritize countries that have established or are exploring certain economic partnerships.
Implications and Recommendations
While TGR-STA-1030’s methods and targets suggest espionage objectives, the scale and sophistication of their operations pose significant threats to national security and critical services. Organizations are advised to:
– Enhance Phishing Defenses: Implement comprehensive training programs to recognize and report phishing attempts.
– Regularly Update Systems: Ensure all software and systems are up-to-date to mitigate the risk of N-day vulnerabilities.
– Monitor Network Traffic: Establish robust monitoring to detect unusual activities, especially those involving known VPS providers.
– Deploy Advanced Threat Detection: Utilize advanced threat detection systems capable of identifying sophisticated malware and evasion techniques.
By adopting these measures, organizations can bolster their defenses against advanced persistent threats like TGR-STA-1030.
