A state-backed cyber espionage group has infiltrated dozens of government and critical infrastructure networks across 37 countries as part of a global operation known as “Shadow Campaigns.”
During November and December of last year, the threat actor also carried out large-scale reconnaissance against government-linked entities spanning 155 countries, significantly expanding its intelligence-gathering footprint.
Researchers from Palo Alto Networks’ Unit 42 report that the group has been operational since at least January 2024 and is believed, with high confidence, to be based in Asia. Until firm attribution is established, the actor is being tracked under the identifiers TGR-STA-1030/UNC6619.
The Shadow Campaigns activity has primarily targeted government ministries and agencies involved in law enforcement, border security, finance, trade, energy, mining, immigration, and diplomacy. Unit 42 confirmed successful compromises of at least 70 government and critical infrastructure organizations across 37 nations.
Impacted entities include organizations handling trade policy, geopolitical affairs, and election-related matters in the Americas; ministries and parliamentary bodies across several European countries; Australia’s Treasury Department; and multiple government and infrastructure organizations in Taiwan. Researchers noted that the selection of targets and timing appeared to align closely with region-specific political or economic events.
According to Unit 42, the group intensified scanning activity during the U.S. government shutdown in October 2025, focusing on entities across North, Central, and South America, including Brazil, Canada, the Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago.
Particularly notable was extensive reconnaissance against “at least 200 IP addresses hosting Government of Honduras infrastructure” just one month ahead of the country’s national elections, a period marked by political discussions around restoring diplomatic relations with Taiwan.
Unit 42 assessed that confirmed compromises included Brazil’s Ministry of Mines and Energy, a Bolivian mining-related entity, two Mexican ministries, government infrastructure in Panama, and an IP address linked to a Venezolana de Industria Tecnológica facility. Additional victims spanned government entities across Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia, along with an Indonesian airline, several Malaysian ministries, a Mongolian law enforcement organization, a major Taiwanese power equipment supplier, and a Thai government department likely associated with economic and trade data. Critical infrastructure organizations across multiple African nations were also affected.
The researchers further believe the actor attempted SSH connections to systems associated with Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers. Beyond confirmed breaches, evidence suggests widespread reconnaissance and intrusion attempts in numerous other countries.
Unit 42 also observed scanning of Czech government infrastructure, including systems tied to the army, police, parliament, and several ministries. The group attempted to access European Union infrastructure as well, targeting over 600 IP addresses hosting *.europa.eu domains. In July 2025, Germany was a focal point, with connection attempts made to more than 490 government-hosted IP addresses.
Early stages of the campaign relied heavily on spear-phishing emails crafted specifically for government officials. These messages often referenced internal ministry restructuring to increase credibility.
The phishing emails contained links to malicious archives hosted on Mega.nz, using localized file names. Inside the archives were a malware loader called Diaoyu and a zero-byte PNG file named pic1.png. Unit 42 found that Diaoyu could retrieve Cobalt Strike payloads and the VShell framework for command-and-control operations, but only after passing several analysis-evasion checks.
“Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory,” the researchers say.
They explained that the empty image file acts as an integrity check, causing the malware to terminate if the file is missing. To further avoid detection, the loader scans for active processes linked to security tools such as Kaspersky, Avira, Bitdefender, Sentinel One, and Norton.
In addition to phishing, the group exploited at least 15 known vulnerabilities to gain initial access, targeting flaws in SAP Solution Manager, Microsoft Exchange Server, D-Link products, and Microsoft Windows.
New Linux Rootkit Discovered
The Shadow Campaigns toolkit includes multiple webshells—such as Behinder, Godzilla, and Neo-reGeorg—as well as tunneling tools like GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.
Researchers also uncovered a previously undocumented Linux kernel eBPF rootkit named ShadowGuard, believed to be exclusive to TGR-STA-1030/UNC6619.
“eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space,” the researchers explain.
“This allows them to manipulate core system functions and audit logs before security tools or system monitoring applications can see the true data.”
ShadowGuard hides malicious processes at the kernel level, concealing up to 32 process IDs from standard Linux monitoring utilities through syscall interception. It can also obscure files and directories named swsecret, while allowing operators to specify which processes remain visible.
The campaign’s infrastructure relies on victim-facing servers hosted with legitimate VPS providers in the U.S., Singapore, and the UK, combined with relay servers, residential proxies, and Tor for traffic obfuscation. Researchers noted the use of deceptive command-and-control domains designed to appear familiar to targets, including region-specific top-level domains.
"It’s possible that the domain name could be a reference to 'DOGE Jr,' which has several meanings in a Western context, such as the U.S. Department of Government Efficiency or the name of a cryptocurrency," the researchers explain.
Unit 42 concludes that TGR-STA-1030/UNC6619 is a highly capable espionage actor focused on gathering strategic, economic, and political intelligence, with a proven record of impacting government entities worldwide. The full report includes indicators of compromise (IoCs) to assist defenders in identifying and blocking related activity.
