Cyber: Asian State-backed Group Tgr-sta-1030 Breaches 70 Government,...

A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42.

In addition, the hacking crew has been observed conducting active reconnaissance against government infrastructure associated with 155 countries between November and December 2025. Some of the entities that have been successfully compromised include five national-level law enforcement/border control entities, three ministries of finance and other government ministries, and departments that align with economic, trade, natural resources, and diplomatic functions.

The activity is being tracked by the cybersecurity company under the moniker TGR-STA-1030, where "TGR" stands for temporary threat group and "STA" refers to state-backed motivation. Evidence shows that the threat actor has been active since January 2024.

While the hackers' country of origin remains unclear, they are assessed to be of Asian origin, given the use of regional tooling and services, language setting preferences, targeting that's consistent with events and intelligence of interest to the region, and its GMT+8 operating hours.

Attack chains have been found to leverage phishing emails as a starting point to trick recipients into clicking on a link pointing to New Zealand-based file hosting service MEGA. The link hosts a ZIP archive that contains an executable dubbed Diaoyu Loader and a zero-byte file named "pic1.png."

"The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis," Unit 42 said. "Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory."

The PNG image acts as a file-based integrity check that causes the malware artifact to terminate before unleashing its nefarious behavior in the event it's not present in the same location. It's only after this condition is satisfied that the malware checks for the presence of specific cybersecurity programs from Avira ("SentryEye.exe"), Bitdefender ("EPSecurityService.exe"), Kaspersky ("Avp.exe"), Sentinel One ("SentinelUI.exe"), and Symantec ("NortonSecurity.exe").

It's currently not known why the threat actors have opted to look for only a narrow selection of products. The end goal of the loader is t

Source: The Hacker News