Podcast Episode
Affected nations span the Americas, Europe, Asia and Africa, including Bolivia, Mexico, Panama, Cyprus, Malaysia, the Republic of Congo, Djibouti and Zambia. Notably, researchers confirmed that government agencies and critical infrastructure in the United States and United Kingdom were not targeted.
Between November and December 2025, the group also conducted extensive reconnaissance scanning across infrastructure in 155 countries, suggesting preparations for future attacks on an even broader scale.
While Palo Alto Networks stopped short of directly naming the nation responsible, they noted the strategic interests and target selection bear strong resemblance to previous campaigns attributed to the Chinese government. The firm has engaged with all 37 affected nations and warns the group remains active.
Massive Cyberespionage Campaign Breaches 70 Organisations Across 37 Countries
February 5, 2026
Audio archived. Episodes older than 60 days are removed to save server storage. Story details remain below.
A state-backed hacking group operating from Asia has infiltrated at least 70 organisations across 37 countries in the past year, targeting government bodies handling diplomacy, trade and natural resources. Security researchers describe it as the largest campaign by a single group since the SolarWinds breach.
A Global Spy Operation Uncovered
Cybersecurity researchers at Palo Alto Networks have exposed a massive state-sponsored espionage campaign that has compromised at least 70 organisations across 37 countries over the past year. The operation, attributed to a state-aligned group operating from Asia and tracked as TGR-STA-1030, represents the most extensive cyberespionage effort attributed to a single government hacking group since the notorious SolarWinds incident in 2020.High-Value Targets on Four Continents
The attackers successfully breached five national law enforcement and border control agencies, three finance ministries, one national parliament, and a senior elected official in another country. Named victims include Brazil's Ministry of Mines and Energy, the Czech Republic's parliament and military, an Indonesian government official, and a Taiwanese power equipment supplier.Affected nations span the Americas, Europe, Asia and Africa, including Bolivia, Mexico, Panama, Cyprus, Malaysia, the Republic of Congo, Djibouti and Zambia. Notably, researchers confirmed that government agencies and critical infrastructure in the United States and United Kingdom were not targeted.
Stealthy Tools and Techniques
The attackers deployed a previously undocumented Linux kernel rootkit called ShadowGuard, which operates within the kernel space to hide malicious processes and files. This makes detection exceptionally difficult, as the rootkit manipulates core system functions before security tools can observe suspicious activity.Between November and December 2025, the group also conducted extensive reconnaissance scanning across infrastructure in 155 countries, suggesting preparations for future attacks on an even broader scale.
Timing Linked to Geopolitical Events
The campaign appears closely tied to political and economic developments. Shortly after reports emerged of trade investigations involving Mexico's tariff plans, researchers detected malicious traffic targeting two Mexican ministries. One month before Honduras's 2025 elections, hackers targeted government infrastructure there. After the Czech President met with the Dalai Lama, attackers probed Czech systems associated with the army, police, parliament and multiple ministries.While Palo Alto Networks stopped short of directly naming the nation responsible, they noted the strategic interests and target selection bear strong resemblance to previous campaigns attributed to the Chinese government. The firm has engaged with all 37 affected nations and warns the group remains active.
Published February 5, 2026 at 4:15pm
