TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as TGR-STA-1030 (also UNC6619) has been reported compromising government and critical-infrastructure organizations across 37 countries, with broader reconnaissance activity against government infrastructure in 155 countries. The operation—described as “Shadow Campaigns”—uses phishing (often impersonating government entities) and N-day vulnerability exploitation across multiple enterprise and edge products (including SAP, Microsoft Exchange, and D-Link) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth.
Post-compromise activity includes deployment of Diaoyu Loader to stage frameworks and remote admin tooling such as Cobalt Strike and VShell, plus web shells and tunneling utilities. A notable capability is ShadowGuard, a Linux eBPF rootkit used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as state-aligned and operating out of Asia, citing indicators such as tooling, language preferences, activity patterns aligned to GMT+8, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to China but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
Sources
Related Stories
Unit 42 Reports Asia-Based State-Aligned Espionage Campaign Compromising 37 Governments
Palo Alto Networks Unit 42 reported a large-scale cyberespionage operation, tracked as **TGR-STA-1030** and dubbed the **Shadow Campaigns**, assessing with high confidence the actor is **state-aligned and operating out of Asia**. Unit 42 documented compromises of government and critical infrastructure organizations across **37 countries** over roughly the past year, and observed **active reconnaissance** against government infrastructure associated with **155 countries** (notably during **November–December 2025**). The activity was characterized as unusually broad in scope, with Unit 42 describing it as among the most widespread compromises of global government infrastructure in years. The operation primarily targeted government ministries and departments, with confirmed compromises including national-level law enforcement/border control entities and ministries aligned to **finance, trade, natural resources, and diplomatic functions**; reporting also cited intrusions affecting national telecommunications companies, police agencies, counterterrorism departments, and multiple interior/foreign affairs-related bodies. Unit 42 stated it notified impacted entities via responsible disclosure and published technical details on the actor’s **phishing and exploitation techniques**, tooling, and infrastructure, along with **defensive indicators** intended to support detection and response; public reporting noted Unit 42 did not attribute the campaign to a specific country, while comparing its scale to other recent China-linked activity such as **Volt Typhoon** and **Salt Typhoon** in terms of strategic risk and potential long-term national security impact.
1 months ago
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
6 days ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 weeks ago