Palo Alto Networks’ threat intelligence unit, Unit 42, has released new research detailing the activities of a highly sophisticated state-aligned cyber actor that has compromised government and critical infrastructure organisations across 37 countries.
The actor, tracked as TGR-STA-1030, is assessed to have affected nearly one in five nations worldwide, with targets including national security, economic and diplomatic institutions. Unit 42 researchers say the group operates with precision and restraint, favouring tailored attacks and custom tooling over large-scale automated campaigns.
According to the report, impacted entities include five national-level law enforcement or border control agencies and three ministries of finance, as well as government departments responsible for trade, natural resources and diplomacy.
Unit 42 said the group demonstrated exceptional speed and agility, frequently carrying out successful compromises within days of major geopolitical events. Initial access was typically gained through carefully crafted phishing campaigns, combined with the exploitation of known vulnerabilities in widely used platforms such as Microsoft Exchange, SAP and Atlassian products.
A key technical finding relates to the malware loader used by TGR-STA-1030. While many malicious loaders attempt to detect dozens of endpoint security tools — often increasing their chances of discovery — this loader checks for only five, keeping its code footprint small and helping it evade common detection mechanisms.
The research also uncovered the use of a previously undocumented Linux kernel rootkit, dubbed “ShadowGuard.” The rootkit enables attackers to manipulate system data and remain concealed from standard monitoring and forensic tools, significantly complicating detection and remediation efforts.
Using telemetry from the Palo Alto Networks platform, Unit 42 was able to proactively hunt for the group’s signatures at global scale. The company said it worked closely with industry and government partners to notify affected organisations and provide remediation guidance.
While TGR-STA-1030 has largely operated under the radar, Unit 42 said the findings highlight the growing risk posed by well-resourced state-aligned actors — and the urgency for governments to move beyond legacy systems and invest in modernised, resilient security architectures.
