A newly discovered cyber espionage group from Asia has breached the networks of 70 government and critical infrastructure organizations across 37 countries within the last year. Detailed analysis from Unit 42 reveals the group uses specialized malware and phishing tactics to exfiltrate sensitive military, financial, and diplomatic data on a global scale.
The threat group known as TGR-STA-1030 has been active since early 2024, demonstrating a sophisticated ability to infiltrate high-level targets including national law enforcement and ministries of finance. Beyond successful breaches, the group conducted extensive reconnaissance against 155 countries in late 2025, specifically targeting departments involved in trade, natural resources, and diplomacy. While their exact location is not confirmed, researchers believe they are based in Asia due to their GMT+8 working hours, regional language preferences, and the specific alignment of their targets with Asian geopolitical interests.
The hackers initiate their attacks using phishing emails that direct victims to download a ZIP archive from a file hosting service. Inside this archive is a custom executable called Diaoyu Loader and a decoy image file. This setup serves as a clever initial step to gain a foothold in the victim's network. Once the user interacts with the archive, the group begins the process of accessing and stealing sensitive information from internal servers.
Evidence suggests that the stolen data is highly sensitive, ranging from financial contracts and banking details to critical updates regarding military operations. By targeting email servers, the group has been able to monitor private negotiations and strategic government communications. This focus on long-term intelligence gathering indicates a state-backed motivation rather than a desire for immediate financial gain through traditional cybercrime.
The Diaoyu Loader malware is designed with specific guardrails to prevent it from being detected by automated security tools. It checks for a physical screen resolution of at least 1440 pixels and confirms the presence of a specific file in its directory before it will activate. These checks ensure the malware is running on a real workstation rather than a virtual environment used by security researchers to analyze threats.
If these hardware and file conditions are met, the malware then scans the infected system for various popular antivirus programs. By identifying the specific security software in use, such as Bitdefender or Kaspersky, the threat actor can better navigate the network without triggering alarms. This meticulous approach to evasion and reconnaissance highlights the group's disciplined and professional nature as they continue their global espionage campaign.
Source: Asian State-Backed Group TGR-STA-1030 Breaches 70 Government Entities