Unit 42 Reports Asia-Based State-Aligned Espionage Campaign Compromising 37 Governments
Palo Alto Networks Unit 42 reported a large-scale cyberespionage operation, tracked as TGR-STA-1030 and dubbed the Shadow Campaigns, assessing with high confidence the actor is state-aligned and operating out of Asia. Unit 42 documented compromises of government and critical infrastructure organizations across 37 countries over roughly the past year, and observed active reconnaissance against government infrastructure associated with 155 countries (notably during November–December 2025). The activity was characterized as unusually broad in scope, with Unit 42 describing it as among the most widespread compromises of global government infrastructure in years.
The operation primarily targeted government ministries and departments, with confirmed compromises including national-level law enforcement/border control entities and ministries aligned to finance, trade, natural resources, and diplomatic functions; reporting also cited intrusions affecting national telecommunications companies, police agencies, counterterrorism departments, and multiple interior/foreign affairs-related bodies. Unit 42 stated it notified impacted entities via responsible disclosure and published technical details on the actor’s phishing and exploitation techniques, tooling, and infrastructure, along with defensive indicators intended to support detection and response; public reporting noted Unit 42 did not attribute the campaign to a specific country, while comparing its scale to other recent China-linked activity such as Volt Typhoon and Salt Typhoon in terms of strategic risk and potential long-term national security impact.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
CISA confirms tracking and coordination on TGR-STA-1030
Following the report's release, CISA confirmed it was tracking TGR-STA-1030 and coordinating with partners to detect and mitigate exploitation of the vulnerabilities described by researchers. This marked an official government response to the disclosed campaign.
ShadowGuard rootkit and IOCs are disclosed
In the same public reporting, Unit 42 revealed a previously undocumented Linux eBPF kernel rootkit called ShadowGuard, assessed as unique to the actor. The publication also included indicators of compromise such as IPs, domains, and file hashes.
Unit 42 publicly exposes the 'Shadow Campaigns' operation
On February 5, 2026, Palo Alto Networks Unit 42 published its report on the 'Shadow Campaigns,' attributing the activity with high confidence to an Asia-based state-aligned actor tracked as TGR-STA-1030/UNC6619. The report detailed the group's phishing and N-day exploitation tradecraft, victimology, infrastructure, and broad global scope.
Unit 42 disrupts some intrusions and notifies victims
Before public disclosure, Palo Alto Networks Unit 42 said it pushed the actors out of some affected government networks, notified impacted entities, and shared indicators with industry peers and Cyber Threat Alliance members. The researchers also monitored for attempted re-entry.
Campaign compromises organizations across 37 countries
Over the following year, TGR-STA-1030 compromised at least 70 government and critical-infrastructure organizations in 37 countries. Some intrusions persisted for months and included exfiltration of sensitive data from victim email servers and file shares.
Actor conducts global government reconnaissance surge
Between November and December 2025, the group carried out targeted reconnaissance against government infrastructure associated with 155 countries. Researchers said the activity was timed in part around geopolitical events and shifts in international affairs.
TGR-STA-1030 begins cyberespionage activity
Unit 42 assessed the Asia-based, state-aligned cluster TGR-STA-1030/UNC6619 has been active since at least January 2024. The group began targeting government and critical-infrastructure organizations using phishing and exploitation of known vulnerabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
TGR-STA-1030 Cyberespionage: ShadowGuard Linux Rootkit Targets SAP Solution Manager, Microsoft Exchange, and 70 Global Critical Infrastructure Entities
rescana.com
Open sourceState actor targets 155 countries in 'Shadow Campaigns' espionage op
bleepingcomputer.com
Open sourceState-aligned global espionage campaign hits 70 organizations | SC Media
scworld.com
Open sourceAsian Cyber Espionage Campaign Hit 37 Countries
techrepublic.com
Open sourceAsian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
thehackernews.com
Open sourceAsia-based spies hacked 37 countries' critical networks • The Register
go.theregister.com
Open sourceResearchers uncover vast cyberespionage operation targeting dozens of governments worldwide | The Record from Recorded Future News
therecord.media
Open sourceThe Shadow Campaigns: Uncovering Global Espionage
unit42.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as **TGR-STA-1030** (also **UNC6619**) has been reported compromising government and critical-infrastructure organizations across **37 countries**, with broader reconnaissance activity against government infrastructure in **155 countries**. The operation—described as “**Shadow Campaigns**”—uses **phishing** (often impersonating government entities) and **N-day vulnerability exploitation** across multiple enterprise and edge products (including **SAP**, **Microsoft Exchange**, and **D-Link**) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth. Post-compromise activity includes deployment of **Diaoyu Loader** to stage frameworks and remote admin tooling such as **Cobalt Strike** and **VShell**, plus web shells and tunneling utilities. A notable capability is **ShadowGuard**, a **Linux eBPF rootkit** used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as **state-aligned and operating out of Asia**, citing indicators such as tooling, language preferences, activity patterns aligned to **GMT+8**, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to **China** but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
Mar 21, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
Mar 21, 2026