Massive Espionage Campaign Uncovered
Palo Alto Networks Unit 42 has disclosed one of the most far-reaching cyberespionage operations in recent memory. A state-aligned threat actor tracked as TGR-STA-1030 (also designated UNC6619) conducted reconnaissance against targets in 155 countries between November and December 2025, successfully compromising 70+ government and critical infrastructure organizations across 37 countries.
The campaign, dubbed "Shadow Campaigns," represents a significant escalation in state-sponsored cyber operations, with targets spanning government ministries, law enforcement agencies, energy infrastructure, and diplomatic services worldwide.
Targets and Scope
Confirmed Compromised Entities
The operation targeted organizations of strategic, economic, and political intelligence value:
| Region | Targets |
|---|---|
| Americas | Brazil's Ministry of Mines and Energy, multiple Mexican ministries |
| Asia-Pacific | Taiwan power equipment suppliers, Malaysian government departments, Indonesian airline, Mongolian law enforcement |
| Europe | Czech, German, Italian, Polish, and Serbian government entities |
| Africa | Critical infrastructure in DRC, Djibouti, Ethiopia, Namibia, Niger, Nigeria, and Zambia |
| Oceania | Australian Treasury Department (connection attempts detected) |
Primary Sectors Targeted
- Government ministries and parliaments
- Law enforcement and border control agencies
- Finance, trade, and diplomatic services
- Energy and mining entities
- Immigration authorities
Unit 42 noted a surge in reconnaissance activity against Americas-based targets during the October 2025 U.S. government shutdown, and 200+ IP scans against Honduras infrastructure 30 days before national elections, suggesting the group times operations around periods of reduced oversight.
Attack Techniques and Tooling
Initial Access
The group deployed tailored phishing emails referencing internal organizational changes, delivering malicious archives via Mega.nz containing a custom loader named Diaoyu. The actor also exploited at least 15 known vulnerabilities across SAP Solution Manager, Microsoft Exchange, D-Link devices, and Windows systems.
Custom Malware Arsenal
| Tool | Function |
|---|---|
| Diaoyu loader | Fetches Cobalt Strike payloads and VShell C2 agents |
| ShadowGuard | Custom Linux eBPF rootkit capable of hiding up to 32 PIDs and concealing files containing "swsecret" at the kernel level |
| Behinder / Godzilla | Webshells for persistent access |
| Neo-reGeorg | Tunnel proxy for pivoting through compromised infrastructure |
| GOST / FRPS / IOX | Network tunneling and port forwarding tools |
Evasion Techniques
The group demonstrated sophisticated anti-analysis capabilities:
- Checks for 1440+ pixel horizontal screen resolution before executing payloads (filtering out analyst VMs)
- Requires presence of a zero-byte file (
pic1.png) before Diaoyu loader activates - Detects and avoids Kaspersky, Avira, Bitdefender, SentinelOne, and Norton security products
- ShadowGuard operates at the kernel level via eBPF, making detection exceptionally difficult
The use of eBPF rootkits represents a concerning evolution in tradecraft. These kernel-level implants can intercept and manipulate system calls while remaining invisible to standard security tooling.
Attribution and Infrastructure
Unit 42 attributes the operation to an Asia-based state-aligned group with high confidence. Key attribution indicators include:
- C2 domains mimicking target region naming conventions (
.gouvextensions for French-speaking targets) - Infrastructure hosted across U.S., Singapore, and UK VPS providers
- Use of residential proxies and Tor for traffic anonymization
- A notable domain registration (
dog3rj.tech) possibly referencing DOGE
The group has been active since at least January 2024, though the Shadow Campaigns surge peaked in late 2025.
Defensive Recommendations
Immediate Actions
- Review IOCs from Unit 42's report - Block identified domains, IPs, and file hashes across perimeter and endpoint defenses
- Patch the 15+ exploited vulnerabilities - Prioritize SAP Solution Manager, Microsoft Exchange, D-Link, and Windows systems
- Hunt for eBPF-based rootkits - Standard endpoint detection tools may miss ShadowGuard; use kernel-level inspection tools
- Monitor Mega.nz traffic - Unusual downloads from Mega.nz may indicate Diaoyu loader delivery
Detection Focus Areas
- Look for Cobalt Strike and VShell C2 beaconing patterns
- Monitor for Behinder and Godzilla webshell indicators
- Flag GOST, FRPS, and IOX tunneling activity in network logs
- Investigate anomalous eBPF program loading on Linux systems
- Review DNS logs for domains mimicking government TLDs
Strategic Measures
- Government and critical infrastructure organizations in targeted regions should assume potential compromise and conduct thorough threat hunts
- Implement network segmentation to limit lateral movement
- Deploy behavioral analytics to detect living-off-the-land techniques
Sources
- BleepingComputer - State actor targets 155 countries in 'Shadow Campaigns' espionage op
- The Hacker News - Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
- Palo Alto Networks Unit 42 Threat Research