Global Espionage Campaign Targets 155 Nations: The Rise of ‘Shadow Campaigns’
A sophisticated, state-sponsored cyber espionage group, tracked as TGR-STA-1030 (also known as UNC6619), has been conducting widespread operations dubbed ‘Shadow Campaigns,’ compromising government and critical infrastructure networks across 37 countries. The group’s activity, which began as early as January 2024, extends to reconnaissance efforts targeting a staggering 155 nations, raising concerns about the scale and ambition of this threat.
Who is Behind the Shadow Campaigns?
Unit 42, the threat intelligence division of Palo Alto Networks, assesses with high confidence that TGR-STA-1030 is a state-aligned group operating out of Asia. While definitive attribution remains ongoing, the group’s operational maturity and strategic targeting suggest a well-resourced and highly skilled adversary.
Key Targets and Compromises
The primary focus of ‘Shadow Campaigns’ is on government entities, specifically ministries and departments related to finance, trade, law enforcement, border control, energy, and diplomatic functions. Confirmed compromises include organizations involved in trade policy, geopolitical issues, and elections in the Americas, ministries and parliaments in Europe, Australia’s Treasury Department, and critical infrastructure in Taiwan. At least 70 government and critical infrastructure organizations have been successfully breached.
Recent activity shows a correlation between geopolitical events and targeting. For example, increased scanning activity across North, Central, and South America was observed during the U.S. Government shutdown in October 2025. Significant reconnaissance was also detected against Honduran government infrastructure shortly before a national election, coinciding with discussions about restoring ties with Taiwan.
From Phishing to Exploits: The Attack Chain
Initially, the group relied heavily on highly targeted phishing emails, often disguised as internal communications regarding ministry reorganizations. These emails contained malicious archives hosted on Mega.nz, embedding malware loaders like Diaoyu and a zero-byte PNG file used for integrity checks. Diaoyu would then deliver Cobalt Strike payloads and the VShell framework.
However, TGR-STA-1030/UNC6619 has evolved its tactics, now leveraging at least 15 known vulnerabilities to gain initial access. Exploited vulnerabilities include those found in SAP Solution Manager, Microsoft Exchange Server, D-Link devices, and Microsoft Windows.
A New Linux Rootkit: ShadowGuard
Researchers have identified a custom Linux kernel eBPF rootkit, named ‘ShadowGuard,’ unique to this threat actor. EBPF backdoors are notoriously difficult to detect as they operate within the kernel space, allowing manipulation of system functions and audit logs. ShadowGuard conceals malicious processes, hides files and directories named swsecret, and allows operators to define processes that should remain visible.
Infrastructure and Tactics for Obfuscation
The group utilizes a complex infrastructure, including victim-facing servers hosted by legitimate VPS providers in the U.S., Singapore, and the UK. Relay servers are used for traffic obfuscation, and residential proxies or Tor networks provide additional anonymity. C2 domains are often crafted to appear legitimate, such as using .gouv extensions for French-speaking countries or domains referencing popular culture.
Defending Against the Shadow Campaigns
Unit 42 has released indicators of compromise (IoCs) to assist organizations in detecting and blocking these attacks. Proactive security measures, including robust phishing awareness training, vulnerability management, and endpoint detection and response (EDR) solutions, are crucial for mitigating the risk posed by TGR-STA-1030/UNC6619.
FAQ
Q: What is TGR-STA-1030?
A: TGR-STA-1030 (also known as UNC6619) is a state-aligned cyber espionage group operating from Asia.
Q: What is the ‘Shadow Campaigns’ operation?
A: ‘Shadow Campaigns’ refers to the malicious activities carried out by TGR-STA-1030, targeting government and critical infrastructure organizations globally.
Q: Which countries have been targeted?
A: The group has conducted reconnaissance against 155 countries and compromised organizations in 37 countries across multiple continents.
Q: What tools does this group use?
A: The group uses a variety of tools, including phishing emails, exploits, Cobalt Strike, VShell, webshells (Behinder, Godzilla, Neo-reGeorg), tunneling tools, and a custom Linux rootkit called ShadowGuard.
Q: How can organizations protect themselves?
A: Organizations should implement robust security measures, including phishing awareness training, vulnerability management, EDR solutions, and utilize the IoCs provided by Unit 42.
