State-Sponsored Espionage Campaign Targets 155 Countries
A sophisticated, state-sponsored threat actor has been conducting extensive espionage operations, compromising government and critical infrastructure networks across 37 countries in a campaign dubbed ‘Shadow Campaigns.’ The operation, which began as early as January 2024, also involved reconnaissance activity targeting entities in a total of 155 countries between November and December 2025, according to researchers at Palo Alto Networks’ Unit 42 division.
The actor, currently tracked as TGR-STA-1030/UNC6619, is believed to operate from Asia, though definitive attribution remains ongoing. The group’s targets span a wide range of vital sectors, including government ministries, law enforcement, border control, finance, trade, energy, mining, immigration, and diplomatic agencies.
Unit 42 confirmed successful compromises of at least 70 government and critical infrastructure organizations. These include entities involved in trade policy, geopolitical issues, and elections in the Americas, as well as ministries and parliaments across Europe. Specifically, the Australian Treasury Department, and government and critical infrastructure in Taiwan were impacted. Compromises also extended to Brazil’s Ministry of Mines and Energy, a Bolivian entity associated with mining, two Mexican ministries, and government infrastructure in Panama, among others.
The timing of reconnaissance activity appears correlated with specific geopolitical events. During the U.S. Government shutdown in October 2025, the actor increased scanning of entities across North, Central, and South America, including Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago. Notably, just 30 days before a national election in Honduras, researchers discovered reconnaissance against at least 200 IP addresses associated with Honduran government infrastructure, coinciding with both candidates indicating a willingness to restore diplomatic ties with Taiwan.
Beyond these specific instances, the actor compromised government entities in Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia. Additional targets included an Indonesian airline, multiple Malaysian government departments and ministries, a Mongolian law enforcement entity, a major supplier in Taiwan’s power equipment industry, a Thai government department focused on economic and international trade, and critical infrastructure entities in the Democratic Republic of the Congo, Djibouti, Ethiopia, Namibia, Niger, Nigeria, and Zambia.
The group also attempted to connect via SSH to Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers, though the success of these attempts is unconfirmed. Scanning activity was also detected against Czech government infrastructure, including the Army, Police, Parliament, Ministries of Interior, Finance, and Foreign Affairs, as well as the president’s website. The actor targeted over 600 IP addresses hosting *.europa.eu domains and initiated connections to more than 490 IP addresses hosting German government systems in July 2025.
Attack Chain and Tactics
The initial stages of the ‘Shadow Campaigns’ relied heavily on highly tailored phishing emails sent to government officials. These emails often masqueraded as internal ministry reorganization efforts and contained links to malicious archives hosted on Mega.nz. These archives contained a malware loader named Diaoyu and a zero-byte PNG file, pic1.png.
Diaoyu, under certain conditions designed to evade analysis, would fetch Cobalt Strike payloads and the VShell framework for command-and-control (C2). The loader incorporates several evasion techniques, including checking for a horizontal screen resolution of at least 1440 pixels and verifying the presence of the pic1.png file in the execution directory. The absence of this file causes the malware to terminate. It also checks for running processes associated with several security products, including Kaspersky, Avira, Bitdefender, Sentinel One, and Norton (Symantec).
Beyond phishing, TGR-STA-1030/UNC6619 exploited at least 15 known vulnerabilities to gain initial access, targeting security flaws in SAP Solution Manager, Microsoft Exchange Server, D-Link devices, and Microsoft Windows.
New Linux Rootkit: ShadowGuard
Researchers discovered a custom Linux kernel eBPF rootkit, named ‘ShadowGuard,’ believed to be unique to this threat actor. EBPF backdoors are notoriously difficult to detect due to their operation within the kernel space, allowing manipulation of system functions and audit logs before they can be observed by security tools. ShadowGuard conceals malicious process information at the kernel level, hiding up to 32 process IDs (PIDs) from standard Linux monitoring tools through syscall interception. It can also hide files and directories named swsecret, while also allowing operators to define processes that should remain visible.
The group’s infrastructure utilizes victim-facing servers hosted by legitimate VPS providers in the U.S., Singapore, and the UK, alongside relay servers for traffic obfuscation and residential proxies or Tor for anonymization. C2 domains were often designed to appear familiar to targets, such as using the .gouv top-level domain for French-speaking countries or the dog3rj[.]tech domain in attacks targeting European entities.
Unit 42 assesses that TGR-STA-1030/UNC6619 is an operationally mature espionage actor prioritizing strategic, economic, and political intelligence, and has already significantly impacted governments worldwide. Indicators of compromise (IoCs) are available in the Unit 42 report to aid in detection and mitigation efforts.
