{
	"id": "ff1c04ff-6fa2-4372-8c69-fd09e599a9a5",
	"created_at": "2026-04-06T00:21:41.610955Z",
	"updated_at": "2026-04-10T03:32:46.15802Z",
	"deleted_at": null,
	"sha1_hash": "70c74bb1af2ec467700132b6d52e74538abdf0cf",
	"title": "The Shadow Campaigns: Uncovering Global Espionage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1801980,
	"plain_text": "The Shadow Campaigns: Uncovering Global Espionage\r\nBy Unit 42\r\nPublished: 2026-02-05 · Archived: 2026-04-05 18:01:52 UTC\r\nExecutive Summary\r\nThis investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the\r\ngroup’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned\r\ngroup that operates out of Asia. Over the past year, this group has compromised government and critical\r\ninfrastructure organizations across 37 countries. This means that approximately one out of every five countries has\r\nexperienced a critical breach from this group in the past year. Further, between November and December 2025, we\r\nobserved the group conducting active reconnaissance against government infrastructure associated with 155\r\ncountries.\r\nThis group primarily targets government ministries and departments. For example, the group has successfully\r\ncompromised:\r\nFive national-level law enforcement/border control entities\r\nThree ministries of finance and various other government ministries\r\nDepartments globally that align with economic, trade, natural resources and diplomatic functions\r\nGiven the scale of compromise and the significance of these organizations, we have notified impacted entities and\r\noffered them assistance through responsible disclosure protocols.\r\nHere we describe the technical sophistication of the actors, including the phishing and exploitation techniques,\r\ntooling and infrastructure used by the group. We provide defensive indicators to include infrastructure that is\r\nactive at the time of this publication. Further, we explore an in-depth look at victimology by region with the intent\r\nof demonstrating the suspected motivations of the group. The results indicate that this group prioritizes efforts\r\nagainst countries that have established or are exploring certain economic partnerships.\r\nAdditionally, we have also pre-shared these indicators with industry peers to ensure robust cross-industry defenses\r\nagainst this threat actor.\r\nPalo Alto Networks customers are better protected from the threats described in this article through products and\r\nservices, including:\r\nAdvanced URL Filtering and Advanced DNS Security\r\nAdvanced WildFire\r\nAdvanced Threat Prevention\r\nCortex XDR and XSIAM\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident\r\nResponse team.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 1 of 21\n\nActor Introduction\r\nUnit 42 first identified TGR-STA-1030 (aka UNC6619) upon investigating a cluster of malicious phishing\r\ncampaigns (referred to here as the Shadow Campaigns) targeting European governments in early 2025. We use the\r\nprefix TGR-STA as a placeholder to denote a temporary group of state-aligned activity while we continue to refine\r\nattribution to a specific organization.\r\nSince our initial investigation, we have identified actor infrastructure dating as far back as January 2024,\r\nsuggesting that the group has been active for at least two years. Over the past year, we have monitored the\r\nevolution and expansion of the group as it has compromised:\r\nFive national-level law enforcement/border control entities\r\nThree ministries of finance and various other government ministries\r\nDepartments globally that align with economic, trade, natural resources and diplomatic functions\r\nWe assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. We base\r\nthis assessment on the following findings:\r\nFrequent use of regional tooling and services\r\nLanguage setting preferences\r\nTargeting and timing that routinely align with events and intelligence of interest to the region\r\nUpstream connections to operational infrastructure originating from the region\r\nActor activity routinely aligning with GMT+8\r\nAdditionally, we found that one of the attackers uses the handle “JackMa,” which could refer to the billionaire\r\nbusinessman and philanthropist who co-founded Alibaba Group and Yunfeng Capital.\r\nPhishing\r\nIn February 2025, Unit 42 investigated a cluster of malicious phishing campaigns targeting European\r\ngovernments. These campaigns followed a pattern of being sent to government email recipients with a lure of a\r\nministry or department reorganization and links to malicious files hosted on mega[.]nz. Figure 1 below shows an\r\nexample.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 2 of 21\n\nFigure 1. Example phishing email (translated).\r\nClicking on the link downloads an archive file with language and naming that is consistent with the targeted\r\ncountry and ministry.\r\nWe assess that an Estonian government entity identified the campaign and uploaded one such ZIP archive to a\r\npublic malware repository. In this case, the Estonian filename was:\r\nPolitsei- ja Piirivalveameti organisatsiooni struktuuri muudatused.zip\r\nThis translates to Changes to the organizational structure of the Police and Border Guard Board.zip\r\nDiaoyu Loader\r\nAnalyzing the archive, we found that the contents were last modified on Feb. 14, 2025. Further, the archive itself\r\ncontains an executable file containing an identical name as the ZIP and a zero-byte file named pic1.png.\r\nReviewing the executable metadata, we found that the file version is presented as 2025,2,13,0, suggesting that the\r\nfile was likely created one day prior, on Feb. 13. This date also corresponds to the PE compile timestamp.\r\nAdditionally, the metadata shows that the file’s original name was DiaoYu.exe. The term Diaoyu translates to\r\nfishing, or phishing in a cybersecurity context.\r\nThe malware employs a dual-stage execution guardrail to thwart automated sandbox analysis. Beyond the\r\nhardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an\r\nenvironmental dependency check for a specific file (pic1.png) in its execution directory.\r\nIn this context, pic1.png acts as a file-based integrity check. If the malware sample is submitted to a sandbox in\r\nisolation, the absence of this auxiliary file causes the process to terminate gracefully before detonation, effectively\r\nmasking its malicious behavior. Only upon satisfying these prerequisites does the malware proceed to audit the\r\nhost for the following cybersecurity products:\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 3 of 21\n\nAvp.exe (Kaspersky)\r\nSentryEye.exe (Avira)\r\nEPSecurityService.exe (Bitdefender)\r\nSentinelUI.exe (Sentinel One)\r\nNortonSecurity.exe (Symantec)\r\nThis narrow selection of products is interesting, and it is unclear why the actor chose to only look for these\r\nspecific products. While various malware families commonly check for the presence of antivirus products,\r\nmalware authors typically include a more comprehensive list that encompasses a variety of global providers.\r\nAfter checking for these products, the malware downloads the following files from GitHub:\r\nhxxps[:]//raw.githubusercontent[.]com/padeqav/WordPress/refs/heads/master/wp-includes/images/admin-bar-sprite[.]png\r\nhxxps[:]//raw.githubusercontent[.]com/padeqav/WordPress/refs/heads/master/wp-includes/images/Linux[.]jpg\r\nhxxps[:]//raw.githubusercontent[.]com/padeqav/WordPress/refs/heads/master/wp-includes/images/Windows[.]jpg\r\nIt should be noted that the padeqav GitHub project is no longer available.\r\nFinally, the malware performs a series of actions on these files that ultimately result in the installation of a Cobalt\r\nStrike payload.\r\nExploitation\r\nIn addition to phishing campaigns, the group often couples exploitation attempts with their reconnaissance\r\nactivities to gain initial access to target networks. To date, we have not observed the group developing, testing or\r\ndeploying any zero-day exploits. However, we assess that the group is comfortable testing and deploying a wide\r\nrange of common tools, exploitation kits and proof-of-concept code for N-day exploits.\r\nFor example, over the past year, our Advanced Threat Prevention service has detected and blocked attempts by the\r\ngroup to exploit the following types of vulnerabilities:\r\nSAP Solution Manager privilege escalation vulnerability\r\nPivotal Spring Data Commons remote file read XXE vulnerability\r\nMicrosoft Open Management Infrastructure remote code execution vulnerability\r\nMicrosoft Exchange Server remote code execution vulnerability\r\nD-Link remote code execution vulnerability\r\nHTTP directory traversal request attempt\r\nHTTP SQL injection attempt\r\nStruts2 OGNL remote code execution vulnerability\r\nRuijieyi Networks remote command execution vulnerability\r\nEyou Email System remote command execution vulnerability\r\nBeijing Grandview Century eHR Software SQL injection vulnerability\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 4 of 21\n\nWeaver Ecology-OA remote code execution vulnerability\r\nMicrosoft Windows win.ini access attempt detected\r\nCommvault CommCell CVSearchService download file authentication bypass vulnerability\r\nZhiyuan OA remote code execution vulnerability\r\nOn one occasion, we observed the actor connecting to e-passport and e-visa services associated with a ministry of\r\nforeign affairs. Because the server for these services was configured with Atlassian Crowd software, the actor\r\nattempted to exploit CVE-2019-11580, uploading a payload named rce.jar. The code included in the payload was\r\nsimilar to the description of code from another analysis of CVE-2019-11580 provided by Anquanke.\r\nTooling\r\nWe assess that the group relies heavily on a mix of command-and–control (C2) frameworks and tools common to\r\nthe actors’ region to move laterally and maintain persistent access within compromised environments.\r\nC2 Frameworks\r\nFrom 2024 through early 2025, we observed the group commonly deploying Cobalt Strike payloads. However,\r\nover time the group slowly transitioned to VShell as its tool of choice.\r\nVShell is a Go-based C2 framework. The group often configures its web access on 5-digit ephemeral TCP ports\r\nusing ordered numbers. In November 2025, NVISO published comprehensive research [PDF] on the origins of\r\nthis tool, its features and its wide-scale use by multiple threat groups and actors.\r\nWithin the past year, we assess that the group has also leveraged frameworks like Havoc, SparkRat and Sliver\r\nwith varying degrees of success.\r\nWeb Shells\r\nTGR-STA-1030 has frequently deployed web shells on external-facing web servers as well as on internal web\r\nservers to maintain access and enable lateral movement. The three most common web shells used by the group are\r\nBehinder, Neo-reGeorg and Godzilla.\r\nFurther, we noted during one investigation that the group attempted to obfuscate its Godzilla web shells using\r\ncode from the Tas9er GitHub project. This project obfuscates code by creating functions and strings with names\r\nlike Baidu. It also adds explicit messages to governments.\r\nTunnels\r\nWe have observed the group leveraging GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX\r\nacross both their C2 infrastructure and compromised networks to tunnel desired network traffic.\r\nIntroducing ShadowGuard\r\nDuring an investigation, we identified the group using a new Linux kernel rootkit, ShadowGuard. The sample we\r\ndiscovered (SHA-256 hash\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 5 of 21\n\n7808B1E01EA790548B472026AC783C73A033BB90BBE548BF3006ABFBCB48C52D) is an Extended\r\nBerkeley Packet Filter (eBPF) rootkit designed for Linux systems. At this time, we assess that the use of this\r\nrootkit is unique to this group.\r\neBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel\r\nspace. eBPF programs do not appear as separate modules. Instead, they execute inside the kernel's BPF virtual\r\nmachine, making them inherently stealthy. This allows them to manipulate core system functions and audit logs\r\nbefore security tools or system monitoring applications can see the true data.\r\nThis backdoor leverages eBPF technology to provide the following kernel-level stealth capabilities:\r\nKernel-level concealment: It can conceal process information details directly at the kernel level.\r\nProcess hiding (syscall interception): The tool intercepts critical system calls, specifically using custom\r\nkill signals (entry and exit points) to identify which processes the attacker wants to hide.\r\nIt conceals specified process IDs (PIDs), making them invisible to standard user-space analysis\r\ntools like the standard Linux ps aux command\r\nIt can hide up to 32 processes simultaneously\r\nFile and directory hiding: It features a hard-coded check to specifically conceal directories and files\r\nnamed swsecret.\r\nAllow-listing: The backdoor includes an allow list mechanism where processes placed on the list are\r\ndeliberately excluded and remain unaffected by the hiding functionality.\r\nWhen started, the program will automatically check for the following:\r\nRoot privileges\r\neBPF support\r\nTracepoint support\r\nExample commands once ShadowGuard is started are shown below in Table 1.\r\nCommand Overview\r\nkill -900 1234\r\n-900 = Add target PID (1234) to\r\nthe allow list\r\nkill -901 1234\r\n-901 = Remove target PID\r\n(1234) from the allow list\r\ntouch swsecret_config.txt\r\nmkdir swsecret_data\r\n* Note: By default ShadowGuard hides/conceals any directories or files\r\nnamed swsecret. This could be a shortened, internal code name used by\r\nthe rootkit's developers to tag their own files. Example: “Put all\r\nconfiguration and logs inside a directory named swsecret.”\r\nls -la files/directories beginning\r\nwith swsecret should display as a\r\ndot . (i.e., it should be hidden)\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 6 of 21\n\nTable 1. Examples of commands for ShadowGuard.\r\nInfrastructure\r\nConsistent with any advanced actor conducting cyberespionage, this group goes to great lengths to mask and\r\nobfuscate the origin of its operations. However, despite all of its best efforts, it is exceptionally hard to overcome\r\nthe following two challenges:\r\n1. Network Traffic Inspection: It is widely known that several nations employ methods to censor and filter\r\ntraffic entering/exiting their respective countries. As such, it is extremely unlikely that foreign\r\ncyberespionage groups would willingly route their network traffic through any nation that employs these\r\ninspection capabilities.\r\n2. Network evolution: Maintaining infrastructure for cyberespionage operations is hard. It requires the routine\r\ncreation of new domains, virtual private servers (VPS) and network tunnels. Studying a group’s\r\ninfrastructure over time almost always reveals mistakes and errors where tunnels collapse or perhaps\r\nidentity protection services expire.\r\nNetwork Structure\r\nWe assess that the group applies a multi-tiered infrastructure approach to obfuscate its activities.\r\nVictim-Facing\r\nThe group routinely leases and configures its C2 servers on infrastructure owned by a variety of legitimate and\r\ncommonly known VPS providers. However, unlike most groups that configure their malicious infrastructure on\r\nbulletproof providers or in obscure locations, this group prefers to establish its infrastructure in countries that have\r\na strong rule of law.\r\nFor example, the group frequently chooses virtual servers in the U.S., UK and Singapore. We assess this\r\npreference in locations likely aids the group in three ways:\r\n1. Infrastructure may appear more legitimate to network defenders\r\n2. This could enable low-latency connections across the Americas, Europe and Southeast Asia\r\n3. These locations have separate laws, policies and priorities that govern the operations of their domestic law\r\nenforcement and foreign intelligence organizations. Thus, having infrastructure in these locations likely\r\nnecessitates cross-agency cooperation efforts for their governments to effectively investigate and track the\r\ngroup.\r\nRelays\r\nTo connect to the C2 infrastructure, the group leases additional VPS infrastructure that it uses to relay traffic\r\nthrough. These hosts are often configured with SSH on port 22 or a high-numbered ephemeral port. In some cases,\r\nwe have also observed hosts configured with RDP on port 3389.\r\nProxies\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 7 of 21\n\nOver time, the group has leveraged a variety of capabilities to anonymize its connections to the relay\r\ninfrastructure. In early 2025, we observed the group using infrastructure we associated with DataImpulse, a\r\ncompany that provides residential proxy services. Since then, we have observed the group using the Tor network\r\nand other proxy services.\r\nUpstream\r\nIn tracking upstream infrastructure, it is important to recognize that the primary goal of an espionage group is to\r\nsteal data. To accomplish that task, a group has to build a path from the compromised network back to a network it\r\ncan access. As such, the flow of data upstream typically correlates geographically to the group’s physical location.\r\nAs noted above, the act of maintaining all of this infrastructure and its associated connections is quite challenging.\r\nOn occasion, the group makes mistakes either because it forgets to establish a tunnel or because a tunnel collapses.\r\nWhen this happens, the group connects directly from its upstream infrastructure.\r\nOn several occasions, we have observed the group connecting directly to relay and victim-facing infrastructure\r\nfrom IP addresses belonging to Autonomous System (AS) 9808. These IP addresses are owned by an internet\r\nservice provider in the group’s region.\r\nDomains\r\nWe have identified several domains used by the group to facilitate malware C2 communications. Most were\r\nregistered with the following top-level domains:\r\nme\r\nlive\r\nhelp\r\ntech\r\nNoteworthy domains include:\r\ngouvn[.]me\r\nThe group used this domain to target Francophone countries that use gouv to denote government domains. While\r\nthe actor consistently pointed this domain name to leased victim-facing VPS infrastructure, we noted an anomaly\r\nin late 2024. While the domain never pointed to it, the actor appears to have copied an X.509 certificate with the\r\ncommon name gouvn[.]me from a victim-facing VPS to a Tencent server located in the actors’ region. Here it was\r\nvisible for four days in November 2024.\r\ndog3rj[.]tech\r\nThe group used this domain to target European nations. It’s possible that the domain name could be a reference to\r\n“DOGE Jr,” which has several meanings in a Western context, such as the U.S. Department of Government\r\nEfficiency or the name of a cryptocurrency. This domain was registered using an email address associated with the\r\ndomain 888910[.]xyz.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 8 of 21\n\nzamstats[.]me\r\nThe group used this domain to target the Zambian government.\r\nGlobal Targeting Overview\r\nOver the course of the past year the group has substantially increased its scanning and reconnaissance efforts. This\r\nshift follows the group's evolution from phishing emails to exploits for initial access. Most emblematic of this\r\nactivity, we observed the group scanning infrastructure across 155 countries between November and December\r\n2025, as noted in Figure 2.\r\nFigure 2. Countries targeted by TGR-STA-1030 reconnaissance between November and December\r\n2025.\r\nGiven the expansive nature of the activity, some analysts might wrongly assume that the group simply launches\r\nbroad scans across the entire IPv4 space from 1.1.1[.]1 to 255.255.255[.]255, but that is not the case. Based on our\r\nobservation, the group focuses its scanning narrowly on government infrastructure and specific targets of interest\r\nacross each country.\r\nThe group’s reconnaissance efforts shed light on its global interests. We have also observed the group's success at\r\ncompromising several government and critical infrastructure organizations globally. We assess that over the past\r\nyear, the group compromised at least 70 organizations across 37 countries, as shown in Figure 3. The attackers\r\nwere able to maintain access to several of the impacted entities for months.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 9 of 21\n\nFigure 3. Locations of organizations impacted in 2025.\r\nImpacted organizations include ministries and departments of interior, foreign affairs, finance, trade, economy,\r\nimmigration, mining, justice and energy.\r\nThis group compromised one nation’s parliament and a senior elected official of another. It also compromised\r\nnational-level telecommunications companies and several national police and counter-terrorism organizations.\r\nWhile this group might be pursuing espionage objectives, its methods, targets and scale of operations are\r\nalarming, with potential long-term consequences for national security and key services.\r\nBy closely monitoring the timing of the group’s operations, we have drawn correlations between several of its\r\ncampaigns and real-world events. These correlations inform assessments as to the group’s potential motivations.\r\nThe following sections provide additional insights from notable situations by geographic region.\r\nAmericas\r\nDuring the U.S. government shutdown that began in October 2025, the group began to display greater interest in\r\norganizations and events occurring across North, Central and South American countries. Over that month, we\r\nobserved scanning of government infrastructure across Brazil, Canada, Dominican Republic, Guatemala,\r\nHonduras, Jamaica, Mexico, Panama and Trinidad and Tobago.\r\nPerhaps the most pronounced reconnaissance occurred on Oct. 31, 2025, when we observed connections to at least\r\n200 IP addresses hosting Government of Honduras infrastructure. The timing of this activity falls just 30 days\r\nprior to the national election, in which both candidates signaled openness to restoring diplomatic relations with\r\nTaiwan.\r\nIn addition to reconnaissance activities, we assess that the group likely compromised government entities across\r\nBolivia, Brazil, Mexico, Panama, and Venezuela, as noted in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 10 of 21\n\nFigure 4. Location of impacted entities in the Americas.\r\nBolivia\r\nWe assess that the group likely compromised the network of a Bolivian entity associated with mining. The\r\nmotivation behind this activity could be associated with interest in rare earth minerals.\r\nWe find it noteworthy that the topic of mining rights became a central focus in Bolivia’s recent presidential\r\nelection. In late July 2025, candidate Jorge Quiroga pledged to scrap multi-billion-dollar mining deals that the\r\nBolivian government had previously signed with two nations.\r\nBrazil\r\nWe assess that the group compromised Brazil’s Ministry of Mines and Energy. Brazil is considered to have the\r\nsecond largest supply of rare earth mineral reserves in the world.\r\nAccording to public reporting, exports of these minerals tripled in the first half of 2025. As Asian companies\r\ntighten their global control on these resources, the U.S. has begun looking to Brazil for alternative sourcing.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 11 of 21\n\nIn October, the U.S. Charge d'Affaires in Brazil held meetings with mining executives in the country. In early\r\nNovember, the U.S. International Development Finance Corporation invested $465 million in Serra Verde (a\r\nBrazilian rare earth producer). This has been seen as an effort to reduce reliance on Asia for these key minerals.\r\nMexico\r\nWe assess that the group compromised two of Mexico’s ministries. This activity is very likely associated with\r\ninternational trade agreements.\r\nOn Sept. 25, 2025, Mexico News Daily reported on an investigation into Mexico’s latest plans to impose tariffs on\r\ncertain goods. Coincidentally, malicious network traffic was first seen originating from networks belonging to\r\nMexico’s ministries within 24 hours of the trade probe announcement.\r\nPanama\r\nIn December 2025, a report stated that local authorities destroyed a monument, prompting immediate\r\ncondemnation from some leaders and calls for investigation.\r\nCoincidentally, around the same time, we assess that TGR-STA-1030 likely compromised government\r\ninfrastructure that may be associated with the investigation.\r\nVenezuela\r\nOn Jan. 3, 2026, the U.S. launched Operation Absolute Resolve. This operation resulted in the capture of the\r\nVenezuelan president and his wife. In the days that followed, TGR-STA-1030 conducted extensive reconnaissance\r\nactivities targeting at least 140 government-owned IP addresses.\r\nWe further assess that as early as Jan. 4, 2026, the group likely compromised an IP address that geolocates to a\r\nVenezolana de Industria Tecnológica facility, as seen in Figure 5. This organization was originally founded as a\r\njoint venture between the Venezuelan government and an Asian technology company. The venture enabled the\r\nproduction of computers as an early step toward deepening technology and economic ties between the two\r\nregions.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 12 of 21\n\nFigure 5. Geolocation data for the compromised IP address.\r\nEurope\r\nThroughout 2025, TGR-STA-1030 increased its focus on European nations. In July 2025, it applied a concerted\r\nfocus toward Germany, where it initiated connections to over 490 IP addresses hosting government infrastructure.\r\nIn August 2025, Czech President Petr Pavel privately met with the Dalai Lama during a trip to India. In the weeks\r\nthat followed, we observed scanning of Czech government infrastructure, including:\r\nThe Army\r\nPolice\r\nParliament\r\nMinistries of Interior, Finance and Foreign Affairs\r\nIn early November, a Tibetan news source announced that the Czech president would also co-patronize the Dalai\r\nLama’s 90th birthday gala. Shortly after, we witnessed a second round of scanning focused narrowly on the Czech\r\npresident’s website.\r\nSeparately, in late August, the group applied a concerted focus on European Union infrastructure. We observed the\r\ngroup attempting to connect to over 600 IP addresses hosting *.europa[.]eu domains.\r\nIn addition to reconnaissance activities, we assess that the group likely compromised government entities in\r\ncountries across Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal and Serbia, as shown in Figure 6. In\r\ndoing so, the group compromised at least one ministry of finance where it sought to collect intelligence on\r\ninternational development from both the impacted country as well as the European Union.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 13 of 21\n\nFigure 6. Location of impacted entities in Europe.\r\nCyprus\r\nWe assess that the group compromised government infrastructure in early 2025. The timing of this activity\r\ncoincided with efforts by an Asian nation to expand certain economic partnerships across Europe. At the time,\r\nCyprus was also taking preparatory steps toward assuming the presidency of the Council of the European Union at\r\nthe end of the year, a position that it currently holds.\r\nGreece\r\nWe assess that the group likely compromised infrastructure associated with the Syzefxis Project. This project was\r\nintended to modernize Greek public sector organizations using high-speed internet services.\r\nAsia and Oceania\r\nWhile the group performs scanning widely across both continents, TGR-STA-1030 appears to prioritize its\r\nreconnaissance efforts against countries in the South China Sea and Gulf of Thailand regions. We routinely\r\nobserve scanning of government infrastructure across Indonesia, Thailand and Vietnam. For example, in early\r\nNovember 2025, we observed connections to 31 IP addresses hosting Thai government infrastructure.\r\nAdditionally, it’s worth noting that the group's reconnaissance efforts often extend beyond connections to web-facing content on ports 80 and 443. In November 2025, we also observed the group attempting to initiate\r\nconnections to port 22 (SSH) on infrastructure belonging to:\r\nAustralia’s Treasury Department\r\nAfghanistan’s Ministry of Finance\r\nNepal’s Office of the Prime Minister and Council of Ministers\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 14 of 21\n\nIn addition to reconnaissance activities, we assess that the group likely compromised government and critical\r\ninfrastructure entities in countries including Afghanistan, Bangladesh, India, Indonesia, Japan, Malaysia,\r\nMongolia, Papua New Guinea, Saudi Arabia, Sri Lanka, South Korea, Taiwan, Thailand, Uzbekistan and Vietnam,\r\nas shown in Figure 7.\r\nFigure 7. Location of impacted entities in Asia and Oceania.\r\nIndonesia\r\nIn March 2024, Indonesia pledged to increase certain counterterrorism coordination efforts. In mid-2025, the\r\ngroup compromised an Indonesian law enforcement entity.\r\nWe assess that the group also compromised infrastructure associated with an Indonesian government official. This\r\nactivity might have been associated with the extraction of natural resources from Papua province. We found that\r\nthe official was tasked with overseeing development in the province and foreign investment in the mining sector.\r\nThe group also compromised an Indonesian airline. The compromised infrastructure geolocates to facilities at\r\nSoekarno-Hatta International Airport as shown in Figure 8. The airline had been in talks with a U.S. aerospace\r\nmanufacturer to purchase new aircraft as part of its strategic growth plans. At the same time, a competing interest\r\nwas actively promoting aircraft from a manufacturer based in Southeast Asia.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 15 of 21\n\nFigure 8. Geolocation data for the compromised IP address.\r\nMalaysia\r\nWe assess that the group compromised multiple Malaysian government departments and ministries. Using this\r\naccess, the group sought to extract immigration and economic intelligence data.\r\nAdditionally, we assess that the group compromised a large private financial entity in Malaysia that provides\r\nmicroloans in support of low-income households and small businesses.\r\nMongolia\r\nThe group compromised a Mongolian law enforcement entity on Sept. 15, 2025. Shortly after, Mongolia’s\r\nMinister of Justice and Internal Affairs met with a counterpart from an Asian nation. Following the meeting, both\r\ncountries signaled an intent to expand cooperation to combat transnational crime.\r\nGiven the timing, we assess that this activity was likely associated with intelligence gathering in support of the\r\ninitial meeting and ongoing cooperation discussions.\r\nTaiwan\r\nIn early 2025, the group compromised a major supplier in Taiwan's power equipment industry. With this access,\r\nwe believe the group was able to access business files and directories pertaining to power generation projects\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 16 of 21\n\nacross Taiwan. We further assess that in mid-December 2025, the group regained access to this network.\r\nThailand\r\nWe assess that on Nov. 5, 2025, the group compromised a Thai government department where it likely sought\r\neconomic and international trade intelligence. The timing of this activity overlaps with the government’s effort to\r\nexpand diplomatic relations with neighboring nations. As such, we assess the activity was likely intelligence\r\ngathering in support of the visit and future cooperation discussions.\r\nAfrica\r\nIt is our observation that when it comes to African nations, the group's focus remains split between military\r\ninterests and the advancement of economic interests, specifically mining efforts.\r\nWe assess that the group likely compromised government and critical infrastructure entities in countries across the\r\nDemocratic Republic of the Congo, Djibouti, Ethiopia, Namibia, Niger, Nigeria and Zambia, as shown in Figure\r\n9:\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 17 of 21\n\nFigure 9. Location of impacted entities in Africa.\r\nDemocratic Republic of the Congo (DRC)\r\nWe assess that in December 2025, the group compromised a government ministry in this country. We found that\r\nearlier in the year, an Asian mining firm was responsible for an acid spill that caused significant impacts to a river\r\nin neighboring Zambia. In November 2025, a second spill by another Asian company impacted the waterways\r\naround Lubumbashi, the second-largest city in the DRC. This event prompted authorities to suspend mining\r\noperations for a subsidiary of the Zhejiang Huayou Cobalt Co. Given the timing and the group's unique focus on\r\nmining operations, we assess that activity could be related to this mining situation.\r\nDjibouti\r\nSeveral nations maintain military bases in Djibouti. These bases enable combating piracy on the high seas as well\r\nas other regional logistics and defense functions across the Arabian Sea, Persian Gulf and Indian Ocean.\r\nIn mid-November, a new Naval Escort Group from one of the nations assumed responsibilities in the region.\r\nDuring its operational debut, the group escorted a Panamanian-registered bulk carrier called the Nasco Gem that\r\ncarries cargo such as coal and ore. In the context of cyber activity, this could be related to the targeting of mining\r\nsectors we observed from TGR-STA-1030.\r\nWe assess that in late October 2025, the group gained access to a Djibouti government network. Given the timing\r\nof the activity, we believe it might be associated with intelligence collection in support of the naval handover\r\noperations.\r\nZambia\r\nWe assess that the group compromised a Zambian government network in 2025. This activity is likely associated\r\nwith the Sino-Metals Leach Zambia situation.\r\nIn February, a dam that held waste from an Asian mining operation collapsed and polluted a major river with\r\ncyanide and arsenic. The situation and associated clean-up efforts remain a political point of contention.\r\nConclusion\r\nTGR-STA-1030 remains an active threat to government and critical infrastructure worldwide. The group primarily\r\ntargets government ministries and departments for espionage purposes. We assess that it prioritizes efforts against\r\ncountries that have established or are exploring certain economic partnerships.\r\nOver the past year, this group has compromised government and critical infrastructure organizations across 37\r\ncountries. Given the scale of compromise and the significance of the impacted government entities, we are\r\nworking with industry peers and government partners to raise awareness of the threat and disrupt this activity.\r\nWe encourage network defenders and security researchers to leverage the indicators of compromise (IoCs)\r\nprovided below to investigate and deploy defenses against this group.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 18 of 21\n\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts and services:\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with\r\nthis activity as malicious.\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the indicators shared in this research.\r\nAdvanced Threat Prevention is designed to defend networks against both commodity threats and targeted\r\nthreats.\r\nCortex XDR and XSIAM help to protect against the threats described in this blog, by employing the\r\nMalware Prevention Engine. This approach combines several layers of protection, including Advanced\r\nWildFire, Behavioral Threat Protection and the Local Analysis module, designed to prevent both known\r\nand unknown malware from causing harm to endpoints.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nSouth Korea: +82.080.467.8774\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nIP Addresses\r\n138.197.44[.]208\r\n142.91.105[.]172\r\n146.190.152[.]219\r\n157.230.34[.]45\r\n157.245.194[.]54\r\n159.65.156[.]200\r\n159.203.164[.]101\r\n178.128.60[.]22\r\n178.128.109[.]37\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 19 of 21\n\n188.127.251[.]171\r\n188.166.210[.]146\r\n208.85.21[.]30\r\nDomains\r\nabwxjp5[.]me\r\nbrackusi0n[.]live\r\ndog3rj[.]tech\r\nemezonhe[.]me\r\ngouvn[.]me\r\nmsonline[.]help\r\npickupweb[.]me\r\npr0fu5a[.]me\r\nq74vn[.]live\r\nservgate[.]me\r\nzamstats[.]me\r\nzrheblirsy[.]me\r\nPhishing/Downloader SHA256\r\n66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0\r\n23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe\r\nCobalt Strike SHA256\r\n5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe\r\n358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a\r\n293821e049387d48397454d39233a5a67d0ae06d59b7e5474e8ae557b0fc5b06\r\nc876e6c074333d700adf6b4397d9303860de17b01baa27c0fa5135e2692d3d6f\r\nb2a6c8382ec37ef15637578c6695cb35138ceab42ce4629b025fa4f04015eaf2\r\n5ddeff4028ec407ffdaa6c503dd4f82fa294799d284b986e1f4181f49d18c9f3\r\n182a427cc9ec22ed22438126a48f1a6cd84bf90fddb6517973bcb0bac58c4231\r\nShadowGuard SHA256\r\n7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d\r\nCVE-2019-11580 Exploit SHA256\r\n9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4\r\nUpdated Feb. 5, 2026, at 7:40 a.m. PT to add Cortex product protections language.\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 20 of 21\n\nSource: https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nhttps://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/"
	],
	"report_names": [
		"shadow-campaigns-uncovering-global-espionage"
	],
	"threat_actors": [
		{
			"id": "e7572efb-2549-4723-8635-81a516a15608",
			"created_at": "2026-02-11T02:00:03.94104Z",
			"updated_at": "2026-04-10T02:00:03.967978Z",
			"deleted_at": null,
			"main_name": "UNC6619",
			"aliases": [
				"TGR-STA-1030",
				"Shadow Campaigns"
			],
			"source_name": "MISPGALAXY:UNC6619",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70c74bb1af2ec467700132b6d52e74538abdf0cf.pdf",
		"text": "https://archive.orkl.eu/70c74bb1af2ec467700132b6d52e74538abdf0cf.txt",
		"img": "https://archive.orkl.eu/70c74bb1af2ec467700132b6d52e74538abdf0cf.jpg"
	}
}