CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Asian State-Backed Group TGR-STA-1030 Targets 70 Government and Infrastructure Entities

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A previously undocumented cyber espionage group, TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group, assessed to be of Asian origin, leverages phishing emails and exploits N-day vulnerabilities to deploy malware and maintain long-term access for espionage purposes. Targets include national law enforcement, ministries of finance, and departments related to economic, trade, natural resources, and diplomatic functions. The group uses a variety of tools, including Cobalt Strike, Behinder, Godzilla, and a Linux kernel rootkit named ShadowGuard. The group conducted reconnaissance activity targeting government entities connected to 155 countries between November and December 2025 and showed increased interest in scanning entities across North, Central, and South America during the U.S. government shutdown in October 2025. The group also exploited at least 15 known vulnerabilities in SAP Solution Manager, Microsoft Exchange Server, D-Link, and Microsoft Windows.

Timeline

  1. 07.02.2026 17:09 1 articles · 23h ago

    TGR-STA-1030 Uses ShadowGuard Rootkit for Espionage

    The group uses a custom Linux kernel eBPF rootkit called ShadowGuard, which conceals malicious process information at the kernel level and hides up to 32 PIDs from standard Linux monitoring tools. ShadowGuard also hides files and directories named swsecret and features a mechanism that lets its operator define processes that should remain visible.

    Show sources
    Open in new tab
  2. 06.02.2026 14:07 2 articles · 2d ago

    TGR-STA-1030 Compromises 70 Government and Infrastructure Entities

    A previously undocumented cyber espionage group, TGR-STA-1030, has breached at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group, assessed to be of Asian origin, leverages phishing emails and exploits N-day vulnerabilities to deploy malware and maintain long-term access for espionage purposes. Targets include national law enforcement, ministries of finance, and departments related to economic, trade, natural resources, and diplomatic functions. The group uses a variety of tools, including Cobalt Strike, Behinder, Godzilla, and a Linux kernel rootkit named ShadowGuard. The group conducted reconnaissance activity targeting government entities connected to 155 countries between November and December 2025 and showed increased interest in scanning entities across North, Central, and South America during the U.S. government shutdown in October 2025. The group also exploited at least 15 known vulnerabilities in SAP Solution Manager, Microsoft Exchange Server, D-Link, and Microsoft Windows.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

PassiveNeuron APT Campaign Targeting Government, Financial, and Industrial Sectors

A new cyber espionage campaign, dubbed PassiveNeuron, targets government, financial, and industrial organizations in Asia, Africa, and Latin America. The campaign uses Neursite and NeuralExecutor malware to infiltrate and exfiltrate data from compromised servers. The threat actors leverage compromised internal servers as an intermediate command-and-control (C2) infrastructure to evade detection. The campaign was first flagged in November 2024 and has continued through August 2025. Initial access is gained through Microsoft SQL, followed by the deployment of various implants, including Neursite, NeuralExecutor, and Cobalt Strike. The malware supports various communication protocols and includes plugins for additional capabilities.

Open in new tab

WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The China-linked threat group Ink Dragon has been observed turning misconfigured servers in European government networks into relay nodes to hide its cyber-espionage activity. Ink Dragon probes public-facing websites for weaknesses, including configuration issues in Microsoft's IIS web server and SharePoint. Once a foothold is established, the group moves quietly through the environment, collecting credentials and using Remote Desktop for lateral movement. Ink Dragon maps the environment in detail, controls policy settings, and deploys long-term access tools across high-value systems. The group uses compromised organizations to support operations elsewhere, deploying a customized IIS-based module to turn public-facing servers into relay points. Ink Dragon has updated its tooling, including a new version of the FinalDraft backdoor built for long-term access and to blend into Microsoft cloud activity. A second China-linked group, RudePanda, has entered some of the same European government networks and exploited the same exposed server vulnerability. A threat actor likely aligned with China, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least last year. UAT-8837 is primarily tasked with obtaining initial access to high-value organizations. The group deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information. UAT-8837 exploits a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access. The group disables RestrictedAdmin for Remote Desktop Protocol (RDP) to ensure credentials and other user resources aren't exposed to compromised remote hosts. UAT-8837 downloads several artifacts including GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy to enable post-exploitation. The group exfiltrated DLL-based shared libraries related to the victim's products, raising the possibility of future trojanization and supply chain compromises.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan**, with the National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** that disrupted operations in at least **20 hospitals** and led to stolen medical data being sold on dark web forums. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leveraged **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often combining tactics. Attacks correlated with **PLA military drills, political events, and visits by Taiwanese officials**, peaking in **May 2025** during President Lai Ching-te’s inauguration anniversary. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, marking a significant expansion in international coordination against PRC cyber threats. Earlier phases of this campaign targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**. Advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**, while **Operation "WrtHug"** hijacked **50,000+ ASUS routers** (predominantly in Taiwan) for persistent access. Despite vendor patches, **unpatched or end-of-life devices remain at risk** of compromise by Chinese APTs and follow-on threat actors.

Open in new tab

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. In a new development, a campaign targeting U.S. government and policy entities has been attributed with moderate confidence to Mustang Panda. This campaign uses Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor, a bespoke C++ implant that communicates with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs. The backdoor supports commands for remote CMD shell, file enumeration, file creation, data exfiltration, and beacon status checks, and establishes persistence by making Windows Registry modifications.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab