A state-aligned cyber group based in Asia, tracked as TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 countries in an ongoing espionage campaign, with access maintained for months in some cases.

The targets span five national law enforcement or border control agencies, three ministries of finance, a national parliament, and a senior elected official, illustrating high-value governmental focus.

Over the past year, the operation has compromised 70 entities and conducted active reconnaissance against government infrastructure in 155 countries, with activity peaking in late 2025.

Global targeting shows a regional emphasis on the Americas, Europe, and Asia-Pacific, with inferred motives tied to economic and political events such as mining, trade, and geopolitical shifts.

Initial access mainly comes from sophisticated phishing delivering a malware loader that specifically checks for five security products to avoid detection.

Exploitation focuses on known vulnerabilities across SAP, Spring, Microsoft Exchange, Windows, and web apps, without zero-days, with occasional remote code execution via CVEs.

The operation appears to align with geopolitical timing, potentially linked to diplomatic missions, trade talks, political unrest, and military actions.

A multi-tier C2 infrastructure shifts from Cobalt Strike to VShell, and uses web shells (Behinder, Neo-reGeorg, Godzilla) for persistent access and lateral movement.

Domain activity includes gouvn.me, dog3rj.tech, and zamstats.me, with notable targeting of Francophone and European governments; a late-2024 incident involved copying an X.509 certificate to a Tencent server for four days.

There are ongoing efforts to push actors out of networks, with monitoring of attacker responses and attempts to regain access.

The attackers pursue a focused, non-random approach, limiting scans to government infrastructure and specific targets per country to support long-term intelligence gathering.

ShadowGuard, a Linux kernel rootkit based on eBPF, enables kernel-level stealth to conceal processes/files and monitor for security products, supporting persistence.