Sensitive systems of organizations in 37 countries have been compromised in a large-scale cyberespionage campaign. The campaign is the work of a state-sponsored threat actor, designated TGR-STA-1030.
This is according to research by Unit 42, the research team of Palo Alto Networks. The campaign, which often took place shortly after major geopolitical events, targeted organizations with access to policy, economic, and diplomatic information.
Highly targeted attacks
TGR-STA-1030 launched highly targeted attacks, using custom tools rather than large-scale, automated methods. Unit 42 was able to identify the activity worldwide and, in collaboration with governments, alerted affected organizations and supported them in their recovery. In Europe, countries affected included Germany, Italy, Poland, Portugal, the Czech Republic, Serbia, Greece, and Cyprus.
The attacks targeted five national police forces and border authorities, three finance ministries, and government departments related to trade, natural resources, and diplomacy. The group acted swiftly, often launching attacks within days of geopolitical events.
Attackers gained access through targeted phishing emails and exploited known vulnerabilities in software from Microsoft Exchange, SAP, and Atlassian, among others. The malware used was deliberately simple and compact to evade detection. A hidden Linux kernel rootkit was also deployed to remain undetected for extended periods.
Exploration activities in 155 countries
Between November and December 2025, Unit 42 observed active reconnaissance activities in government networks of 155 countries, highlighting the scale and strategic ambition of the campaign.
Unit 42 concludes that modern cyberespionage has become more effective and scalable. The combination of speed, technical sophistication, and long-term presence increases the risk of data theft, strategic information loss, and further exploitation of systems.
