**Asia-based Government Spies Quietly Broke into Critical Networks Across 37 Countries**

A chilling exposé by Palo Alto Networks' Unit 42 has revealed that a state-aligned cyber group in Asia, identified as TGR-STA-1030, has compromised government and critical infrastructure organizations across 37 countries. The scope of the espionage campaign is staggering, with at least 70 organizations breached, and several maintained access for months.

The group's toolkit includes a new, Linux kernel rootkit called ShadowGuard, which is believed to be unique to this particular nation-state group. This stealthy Extended Berkeley Packet Filter (eBPF) backdoor hides process information, directories, and files at the kernel level, making it extremely difficult to detect.

**Alarming Scale of Operations**

The cyber investigation team has confirmed that the threat actor successfully accessed and exfiltrated sensitive data from victim email servers. This included financial negotiations and contracts, banking and account information, and critical military-related operational updates.

Unit 42 Director of National Security Programs Pete Renals told The Register that while this group might be pursuing espionage objectives, its methods, targets, and scale of operations are alarming, with potential long-term consequences for national security and key services.

**Targets Across the Globe**

Successful break-ins included five national police or border control entities, one nation's parliament, a senior elected official, and national telecommunications companies. The spies also broke into systems belonging to three ministries of finance and other government agencies.

The researchers observed the snoops conducting "active reconnaissance" against 155 governments across the Americas, Europe, Asia, and Africa between November and December 2025. A concerted focus on Germany in July 2025 saw the snoop crew initiate connections to over 490 IP addresses hosting government infrastructure.

**US Government Aware of the Threat**

While Renals declined to provide details about specific reconnaissance targets in the US, "more broadly across the board, we saw the actor routinely focus on ministries of finance, economy, defense, foreign affairs, and commerce," he said.

The FBI did not respond to our requests for comment. However, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that it is also tracking this cyber-espionage crew.

**Tactics and Techniques**

The cyberspies use phishing emails and known vulnerabilities in Microsoft Exchange, SAP, and Atlassian products to gain initial access to victim organizations. In February 2025, Unit 42 spotted phishing campaigns targeting European governments using lures related to ministry or department reorganization that included links to malicious files hosted on mega[.]nz.

The investigation also uncovered a malware loader with the original name "DiaoYu.exe," which translates to fishing - or phishing in this context. This loader only checks for five antivirus products: Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec, giving the malware a minimal code footprint and helping it avoid detection.

**Real-World Geopolitics**

The researchers say that TGR-STA-1030 also used real-world geopolitical events in its campaigns. For example, during the US government shutdown that began in October 2025, Unit 42 observed the spies scanning government infrastructure across North, Central, and South America.

Additionally, soon after January 3, when an American military operation captured Venezuelan President Nicolás Maduro and his wife, the snoops conducted "extensive reconnaissance activities targeting at least 140 government-owned IP addresses."

**Conclusion**

The cyber-espionage crew identified as TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide. The investigation highlights the need for governments and organizations to remain vigilant against nation-state threats, which are increasingly using sophisticated tactics and techniques to evade detection.

As Renals noted, "This group might be pursuing espionage objectives, but its methods, targets, and scale of operations are alarming, with potential long-term consequences for national security and key services."

**Sources:**

* Palo Alto Networks Unit 42 * The Register