TGR-STA-1030 is a previously undocumented Asian state-backed cyber espionage group active since January 2024, identified by Palo Alto Networks Unit 42. The group has compromised at least 70 government and critical infrastructure entities across 37 countries, conducting reconnaissance against infrastructure in 155 countries during late 2025. Their initial access vector is spear-phishing emails containing links to New Zealand-based MEGA file hosting, delivering a ZIP archive with a loader named Diaoyu Loader and a zero-byte PNG file used as an execution guardrail to evade sandbox and automated analysis. The loader performs environmental checks, including verifying the presence of specific antivirus processes from Avira, Bitdefender, Kaspersky, Sentinel One, and Symantec, terminating if these are detected or if the PNG file is missing. Upon passing these checks, the loader downloads images from a now-removed GitHub repository, which act as a conduit to deploy a Cobalt Strike payload for command and control. The group exploits multiple known (N-day) vulnerabilities in enterprise software products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System to gain initial access, but no zero-day exploits have been observed. Their toolset includes multiple C2 frameworks (Cobalt Strike, VShell, Havoc, Sliver, SparkRAT), web shells (Behinder, neo-reGeorg, Godzilla), and tunneling tools (GOST, FRPS, IOX). Notably, they employ a Linux kernel rootkit named ShadowGuard that uses eBPF technology to hide processes, files, and directories, complicating detection efforts. The group leases VPS infrastructure from legitimate providers for C2 and traffic relay, maintaining persistent access for months to conduct espionage focused on government ministries related to finance, trade, natural resources, and diplomacy. Their targeting aligns with countries engaged in or exploring key economic partnerships, indicating strategic geopolitical motivations. The group's operational hours (GMT+8), regional tooling, and targeting patterns suggest an Asian origin, though the exact country remains unconfirmed. The scale, sophistication, and persistence of TGR-STA-1030 represent a critical threat to national security and critical infrastructure globally.

European organizations, especially government ministries and critical infrastructure entities involved in finance, trade, natural resources, and diplomacy, face significant risks from TGR-STA-1030. Successful breaches can lead to prolonged espionage campaigns, data exfiltration of sensitive national security information, disruption of critical services, and potential manipulation of economic or diplomatic strategies. The use of advanced evasion techniques and kernel-level rootkits complicates detection and remediation, increasing the likelihood of long-term undetected presence. Exploitation of widely deployed enterprise software vulnerabilities means many European organizations are vulnerable, potentially affecting public sector operations, border control, and law enforcement agencies. The targeting of countries with strategic economic partnerships suggests European nations engaged in significant trade or diplomatic relations with Asia or involved in multilateral economic initiatives may be prioritized. The threat also undermines trust in digital government services and may impact the integrity of critical infrastructure sectors such as energy, transportation, and communications. Overall, the espionage activities could have cascading effects on national security, economic stability, and international relations within Europe.

European organizations should implement targeted defenses beyond generic controls. First, enhance phishing detection and user awareness training focused on spear-phishing campaigns leveraging legitimate file-sharing services like MEGA. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying loader behaviors, such as environmental checks and sandbox evasion techniques. Monitor for the presence of known web shells (Behinder, neo-reGeorg, Godzilla) and tunneling tools (GOST, FRPS, IOX) using network traffic analysis and anomaly detection. Conduct regular vulnerability assessments and prioritize patching of known N-day vulnerabilities in Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System products. Employ kernel-level integrity monitoring to detect rootkits like ShadowGuard that use eBPF technology, and consider deploying specialized Linux security modules or eBPF monitoring tools. Restrict and monitor the use of VPS infrastructure and unusual outbound connections that could indicate C2 traffic relays. Implement network segmentation to limit lateral movement and maintain strict access controls on sensitive government and infrastructure systems. Collaborate with national cybersecurity agencies and share threat intelligence related to TGR-STA-1030 indicators. Finally, conduct regular incident response exercises simulating advanced persistent threat scenarios to improve detection and containment capabilities.