The Scale
Palo Alto Networks' Unit 42 team identified a state-aligned Asian group, designated TGR-STA-1030, that breached more than 70 critical infrastructure and government organizations across 37 countries during 2025. The group's reconnaissance activity touched 155 nations between November and December alone.
This is the widest such campaign since the 2020 SolarWinds compromise. Worth noting: Palo Alto stops short of naming a nation, calling it "Asia state-aligned" despite targeting patterns that align with strategic interests typically associated with Chinese operations.
The Targets
Confirmed breaches include Brazil's Ministry of Mines and Energy, the Czech parliament and military, Indonesian government officials, and a Taiwanese power supplier. The group focused on law enforcement, financial institutions, diplomatic missions, trade organizations, and resource sectors. Australia's Treasury was among reconnaissance targets.
The timeline matters here. Early 2025 compromises continued through year-end, with the Taiwanese power supplier re-accessed in December 2025. A Venezuelan technology facility may have been hit as recently as January 2026.
The Tactics
TGR-STA-1030 combined phishing, vulnerability exploitation, and lateral movement techniques. They deployed a new Linux rootkit designed for evasion. Unit 42 assessed the group as Asia-based based on tooling characteristics, GMT+8 activity patterns, the handle "JackMa" in their infrastructure, and regional targeting priorities.
The Context
This sits alongside other 2025 state-aligned activity: the China-linked U.S. Treasury breach in December 2024 and Juniper router exploits in March 2025. It differs from explicitly attributed groups like Salt Typhoon, which hit 200+ targets across 80 countries with a focus on U.S. telecommunications.
For organizations running Palo Alto infrastructure: Unit 42's incident response playbooks for APT detection cover this threat profile. The WildFire sandbox and Advanced Threat Prevention features are positioned to detect these techniques, though configuration for critical infrastructure environments requires careful attention to detection thresholds and response automation.
The report lands as CISA continues pushing mitigation guidance for state-aligned campaigns. The pattern is clear: reconnaissance at scale, selective compromise, long operational timelines.