Nation-state hackers like based in Asia have targeted government agencies in 37 countries in a vast spying operation over at least two years.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

A sophisticated nation-state threat group, likely from Asia, has been running a global cyberespionage campaign since at least January 2024, compromising government and critical infrastructure organizations in 37 countries. The group, tracked as TGR-STA-1030, uses phishing campaigns and N-day exploits to gain initial access, deploying tools like Cobalt Strike, multiple C2 frameworks, web shells, and a new Linux kernel rootkit called ShadowGuard that uses eBPF to hide activities. The attackers target government ministries, law enforcement, border control, and financial departments, with reconnaissance activities detected against 155 countries between November and December 2025. They lease legitimate VPS infrastructure primarily in the US, UK, and Singapore to appear legitimate and complicate investigations.

Threat Group Running Espionage Operations Against Dozens of Governments