Shadow Campaigns: Spies Breach 70 Orgs in 37 Nations

A state-backed espionage group operating out of Asia broke into at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new research from Palo Alto Networks' Unit 42 division. The group, tracked as TGR-STA-1030 (also referenced as UNC6619), conducted reconnaissance against government networks in 155 countries between November and December 2025—making it one of the broadest espionage operations documented in recent years.

"When we look at the scale here, we're making an argument that this is probably the most widespread and significant compromise of global government infrastructure by a state-sponsored group since SolarWinds," Unit 42 leadership told The Record.

Who Got Hit

The confirmed victims span five continents. Brazil's Ministry of Mines and Energy, multiple Mexican ministries, Malaysian government departments, and Australia's Treasury Department all appear on the list. In Europe, targets included government systems in Germany, Greece, Italy, Poland, and Serbia. African nations hit include the Democratic Republic of Congo, Ethiopia, Nigeria, and Zambia. Afghanistan's Ministry of Finance and Nepal's Office of the Prime Minister were also compromised.

The attackers focused on agencies handling trade policy, border control, law enforcement, energy, mining, immigration, and diplomatic functions. At least five national police or border control agencies were breached, along with one nation's parliament and a senior elected official. A Taiwanese power equipment supplier was compromised too—an interesting target given the geopolitical context.

CISA confirmed to reporters that it is tracking TGR-STA-1030. The FBI has not commented publicly, which is a familiar pattern we've seen in other state-sponsored operations tracked by CISA.

How the Attacks Worked

TGR-STA-1030 used two main entry points. The first was tailored phishing emails—fake ministry reorganization notices with malicious ZIP archives hosted on Mega.nz. The archives contained a custom loader called DiaoYu (a Chinese term for "fishing") that runs several anti-analysis checks before deploying Cobalt Strike beacons.

DiaoYu's guardrails are surprisingly specific. It checks that the victim's screen resolution is at least 1,440 pixels wide, verifies the existence of a zero-byte PNG file named "pic1.png," and scans the Windows registry for security products including Kaspersky, Bitdefender, SentinelOne, and Norton. If any check fails, execution stops.

The second entry method involved exploiting over 15 known vulnerabilities. CVE-2019-11580 in Atlassian Crowd was a favored target, along with flaws in SAP Solution Manager, Microsoft Exchange, and D-Link devices. This mix of phishing and vulnerability exploitation mirrors the playbook used by groups like DKnife, which Talos recently exposed targeting routers with ShadowPad.

ShadowGuard: A Kernel-Level Rootkit

The standout tool in TGR-STA-1030's arsenal is ShadowGuard, a custom Linux rootkit built on eBPF—the same kernel-level technology that powers modern network monitoring tools. By operating inside the kernel's BPF virtual machine, ShadowGuard can hide up to 32 processes simultaneously, conceal files and directories containing the string "swsecret," and tamper with audit logs at the kernel level.

"eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space," Unit 42 researchers wrote. Operators control it through kill signals: sending signal -900 adds a process ID to the hidden allow-list, while -901 removes it. The rootkit requires root access and eBPF/tracepoint support—conditions met on most modern Linux servers.

Beyond ShadowGuard, the group deployed a familiar stack of post-exploitation tools: VShell (a Go-based C2 framework), Havoc, Sliver, and web shells including Behinder, Godzilla, and Neo-reGeorg. Tunneling tools like GOST, FRPS, and IOX helped them move laterally through networks. The approach shows overlap with the Lotus Blossom backdoor techniques that Rapid7 documented last week, where Asian APTs similarly layered commodity tools with custom implants.

Timing Tied to Geopolitical Events

The campaign's tempo tracked real-world events in ways that strongly suggest state direction. During the October 2025 U.S. government shutdown, targeting of organizations in the Americas spiked. Before Honduras's November 2025 elections—relevant because Honduras is one of the few countries still recognizing Taiwan diplomatically—reconnaissance covered over 200 IP addresses in Honduran government infrastructure. In July 2025, operators scanned more than 490 IP addresses belonging to German government systems. European Union targeting hit 600+ IP addresses hosting *.europa.eu domains.

One curious detail: a C2 domain registered as "dog3rj[.]tech" may reference either a cryptocurrency project or the U.S. Department of Government Efficiency. Attacker infrastructure also used localized domain extensions—.gouv for French-speaking targets—and routed traffic through U.S., Singapore, and UK VPS providers alongside residential proxies and Tor relays.

What Organizations Should Do

Unit 42 published a full set of indicators of compromise, including 12 IP addresses and multiple domain names tied to the group's infrastructure. Organizations in targeted sectors—especially government agencies handling trade, immigration, energy, or diplomatic functions—should cross-reference these IOCs against their network logs.

Patching the N-day vulnerabilities TGR-STA-1030 exploits would have blocked the second attack vector entirely. Some of these flaws, like CVE-2019-11580, are nearly seven years old. CISA's recent binding directive on replacing vulnerable edge devices is directly relevant here—the kinds of appliances TGR-STA-1030 targets are exactly the ones that directive addresses.

For Linux servers, security teams should audit for unexpected eBPF programs using bpftool prog list and look for processes hiding behind the "swsecret" naming convention. Organizations tracking threat intelligence should check our latest hacking news coverage for updates as CISA and international partners respond to these findings.