Article Details

Asia-based government spies quietly broke into critical networks across 37 countries. And their toolkit includes a new, Linux kernel rootkit. A state-aligned cyber group in Asia compromised government and critical infrastructure organizations across 37 countries in an ongoing espionage campaign, according to security researchers. In total, the crew compromised at least 70 organizations, and maintained access to several of these for months. "While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services," Palo Alto Networks' Unit 42 cyber sleuths said in research published on Wednesday.  Successful break-ins included five national police or border control entities, one nation's parliament, a senior elected official, and national telecommunications companies. The spies also broke into systems belonging to three ministries of finance and other government agencies. "Palo Alto Networks Unit 42 confirmed that the threat actor successfully accessed and exfiltrated sensitive data from victim email servers," Unit 42 Director of National Security Programs Pete Renals told The Register. "This included financial negotiations and contracts, banking and account information, and critical military-related operational updates." Renals said the cyber investigation team is not attributing the digital intrusions to a specific Asian country. The Cybersecurity and Infrastructure Security Agency is aware of the hacking group identified as TGR-STA-1030 by Palo Alto Networks Unit 42 tracks the new group as TGR-STA-1030, and said they also observed the spies conducting "active reconnaissance" against 155 governments across the Americas, Europe, Asia, and Africa between November and December 2025. The researchers also documented a "concerted focus" on Germany in July 2025, during which the snoops initiated connections to over 490 IP addresses hosting government infrastructure. While Renals declined to provide details about specific reconnaissance targets in the US, "more broadly across the board, we saw the actor routinely focus on ministries of finance, economy, defense, foreign affairs and commerce," he said. The FBI did not respond to our requests for comment, but the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that it is also tracking this cyber-espionage crew. "The Cybersecurity and Infrastructure Security Agency is aware of the hacking group identified as TGR-STA-1030 by Palo Alto Networks," a CISA spokesperson told The Register. "We are working with our government, industry, and international partners to rapidly detect and mitigate any exploitation of the vulnerabilities identified in the report." The cyberspies use phishing emails and known vulnerabilities in Microsoft Exchange, SAP, and Atlassian products to gain initial access to victim organizations.  In February 2025, Unit 42 spotted phishing campaigns targeting European governments and using lures related to ministry or department reorganization that included links to malicious files hosted on mega[.]nz. The threat hunters note that one Estonian government entity also observed this campaign and uploaded a related ZIP archive to VirusTotal's malware repository.  The Estonian filename translates to "Changes to the organizational structure of the Police and Border Guard Board." Unit 42 analyzed the archive's contents and found it contained a malware loader with the original name "DiaoYu.exe." This translates to fishing - or phishing in this context. While most loaders check for dozens of antivirus products, this one only checks for five: Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec. This gives the malware a minimal code footprint and could be a means to help it avoid being detected by security filters. The investigation also uncovered a new Linux kernel rootkit called ShadowGuard, believed to be unique to this particular nation-state group. It's a stealthy Extended Berkeley Packet Filter (eBPF) backdoor that hides process information, directories, and files at the kernel level, which makes it very difficult to detect. TGR-STA-1030 also used real-world geopolitical events in its campaigns, including the US government shutdown that began in October 2025 - during which Unit 42 observed the spies scanning government infrastructure across North, Central, and South America. In another case, the researchers say in August 2025, Czech President Petr Pavel privately met with the Dalai Lama during a trip to India, and in the following weeks, the snoop crew began scanning Czech infrastructure across the army, police, parliament, and ministries of interior, finance, and foreign affairs. Additionally, soon after January 3, when an American military operation captured Venezuelan President Nicolás Maduro and his wife, the snoops conducted "extensive reconnaissance activities targeting at least 140 government-owned IP addresses," according to Unit 42.  This new nation-state group "remains an active threat to government and critical infrastructure worldwide," the researchers said.