Research over the past year indicates that a newly identified cyberespionage threat actor operating in Asia has been conducting a sustained and methodical cyberespionage campaign that is characterized both by its operational scale and technical proficiency.
A fully adaptive and mature toolchain has been utilized by this group to successfully compromise 70 government and critical infrastructure institutions spanning 37 countries.
The group's operations utilize a range of classic intrusion vectors, including targeted phishing, advanced exploitation frameworks, along with custom malware, Linux-based rootkits, persistent web shells, tunneling and proxying mechanisms to hide command-and-control traffic and maintain long-term access.
According to the analysis of the campaign, these intrusions represent only a portion of the group's overall activities.
There appears to be an increase in reconnaissance efforts, indicating a strategic expansion beyond confirmed victims, according to security researchers.
During November and December of 2025, the actor was observed conducting active scanning and reconnaissance against government-linked infrastructures located in 155 countries, indicating that an intelligence collection operation had a global perspective rather than an opportunistic approach.
A previously unknown cyberespionage actor identified as TGR-STA-1030, also known as UNC6619, has been attributed to the activity by researchers at Palo Alto Networks' Unit 42. Based on a combination of technical artifacts, operational behavior, and targeting patterns, Unit 42 assesses with high confidence that the group is state-aligned and operating from Asia.
A 12-month period during which the actor compromised government and critical infrastructure organizations across 37 countries puts nearly one fifth of the world's countries within the campaign's verified impact zone.
A sharp increase in reconnaissance activity was observed by Unit 42 in parallel with these intrusions between November and December 2025, as the group actively scanned government-linked infrastructure associated with 155 countries, signaling a shift toward a broader collection of intelligence.
Based on the analysis conducted by Unit 42, the group was first discovered during an investigation into coordinated phishing operations targeting European government entities in early 2025.
Eventually, as the actor refined its access methods, these campaigns, which were part of the initial phase of the Shadow Campaigns, evolved into more direct exploitation-driven intrusions based on exploitation.
In light of the assessment that the activity aligns with state interests but has not yet been conclusively linked to a particular sponsoring organization, the designation TGR-STA-1030 is serving as a temporary tracking label while attribution efforts are continued.
Over time, the group demonstrated increasing technical maturity by deploying persistence mechanisms capable of providing extended access to exposed services beyond email-based lures, and exploiting exposed services.
To date, a wide range of sensitive government and infrastructure sectors have been identified as victims, including interior affairs, foreign relations, finance, trade, economic policy, immigration, mining, justice, and energy ministries and departments.
Despite confirmed compromises, researchers from Unit 42 believe that the breadth of reconnaissance activity offers insight into the actor's global priorities, while confirmed scanning efforts indicate that scanning efforts can be translated into operational access.
There were at least 70 successful breaches during the period under review, and attackers maintained footholds in several environments for several months at a time. Although the campaign appears to be primarily geared toward espionage, Unit 42 has cautioned that the scale, persistence, and alignment of the activity with real-world geopolitical events raise concerns about potential long-term consequences for national security and critical service resilience.
According to an in-depth analysis of the campaign, a pattern of targeting closely tracked sensitive geopolitical and commercial developments. Unit 42 documented the compromise of one of the largest suppliers in Taiwan's power equipment industry among the confirmed intrusions, which underscores the group's interest in energy-related industrial ecosystems.
The actors also breached an Indonesian airline's network during the active procurement process with a U.S.-based aircraft manufacturer in a separate incident. Researchers noted that the intrusion coincided with a significant increase in the promotion of competing aircraft products from a manufacturer based in Southeast Asia, suggesting that the operation was not limited to passive intelligence gathering, but extended to strategic economic interests.
It is important to note that several intrusion waves corresponded directly with diplomatic and political flashpoints involving China. After a high-profile meeting between the country’s president and the Dalai Lama, scanning activity was observed against the Czech military, national police, parliamentary systems, and multiple government bureaus in the Czech Republic.
A month prior to Honduras' presidential election, during which both of the leading candidates indicated their willingness to reestablish diplomatic relations with Taiwan, the group launched a targeted attack against Honduran government infrastructure on October 31, approximately one month before the election.
At least 200 government-associated IP addresses were targeted during this period by Unit 42, marking one of the largest concentrations of activity recorded by the group to date, which resulted in reconnaissance attempts and intrusion attempts. From a technical standpoint, the actor's tooling exhibits a high level of sophistication and operational discipline.
As a part of initial access, phishing campaigns were frequently used to deliver custom malware loaders known as DiaoYu. DiaoYu is the Chinese word for fishing. Upon execution, the malware loader performed antivirus checks before deploying follow-on payloads, including command-and-control beacons known as Cobalt Strike beacons.
Additionally, the group exploited various enterprise-facing vulnerabilities, including Microsoft Exchange Server, SAP Solution Manager, as well as more than a dozen other widely deployed platforms and services, attempting to exploit these vulnerabilities in parallel. By utilizing a previously undocumented Linux rootkit known as ShadowGuard, Palo Alto Networks enhanced persistence and stealth.
Rootkits operate within Linux kernel virtual machines referred to as Extended Berkeley Packet Filters (eBPF), allowing malicious logic to be executed entirely within highly trusted kernel space. According to researchers from Unit 42, eBPF-based backdoors pose a particular challenge for detection, because they are capable of intercepting and manipulating core system functions and auditing data before host-based security tools or monitoring platforms are aware of them.
A similar approach has been documented in recent research on advanced Chinese-linked threat actors. However, certain operational artifacts also emerged in spite of the group's multi-tiered infrastructure strategy designed to obscure command-and-control pathways and impede attribution.
Several cases involved investigators observing connections to victims' environments originating from IP address ranges associated with China Mobile Communications Group, a major backbone telecommunications provider.
According to Palo Alto Networks, based on infrastructure analysis and historical telemetry, this group has been active since at least January 2024 and continues to pose a threat to the company.
According to Unit 42, TGR-STA-1030 remains an active and evolving threat to critical infrastructure and government environments worldwide. This threat's combination of geopolitical alignment, technical capability, and sustained access creates a potential long-term threat.
Unit 42 encourages governments and critical infrastructure operators to revisit long-held assumptions related to perimeter security and incident visibility in light of these findings.
Through the campaign, it can be seen how advanced threat actors are increasingly combining prolonged reconnaissance with selective exploitation in order to achieve durable access and remain undetected for extended periods of time.
It is recommended that security professionals prioritize continuous monitoring of exposed services, improve detection capabilities at both the endpoint and network layers, and closely monitor anomalous activity within trusted system components, such as kernel-level processes, where appropriate.
Additionally, the researchers emphasize the importance of cross-sector coordination and threat intelligence sharing in addition to immediate technical mitigations, noting that the campaign's scale and geopolitical alignment demonstrate the deterioration of national resilience over time through cyberespionage operations.
Keeping a keen eye on current and future state-aligned operations and adjusting defensive strategies in response will remain critical to limiting their strategic impact, especially as state-aligned actors continue to develop their skills.
