TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as TGR-STA-1030 (also UNC6619) has been reported compromising government and critical-infrastructure organizations across 37 countries, with broader reconnaissance activity against government infrastructure in 155 countries. The operation—described as “Shadow Campaigns”—uses phishing (often impersonating government entities) and N-day vulnerability exploitation across multiple enterprise and edge products (including SAP, Microsoft Exchange, and D-Link) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth.
Post-compromise activity includes deployment of Diaoyu Loader to stage frameworks and remote admin tooling such as Cobalt Strike and VShell, plus web shells and tunneling utilities. A notable capability is ShadowGuard, a Linux eBPF rootkit used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as state-aligned and operating out of Asia, citing indicators such as tooling, language preferences, activity patterns aligned to GMT+8, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to China but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Palo Alto and Chinese Embassy respond to attribution controversy
Palo Alto said that attribution was irrelevant and denied that the report's wording was influenced by China procurement regulations. The Chinese Embassy in Washington said it opposes cyberattacks and cautioned that attribution should be based on sufficient evidence.
Reuters reports Palo Alto softened China attribution
Reuters reported that Unit 42 had initially linked the campaign to China internally, but Palo Alto executives ordered the public attribution language to be softened out of concern about possible retaliation from Beijing. Sources said the concern followed reported Chinese restrictions affecting about 15 U.S. and Israeli cybersecurity firms, including Palo Alto.
Unit 42 publicly reports Shadow Campaigns with Asia-based attribution
Palo Alto Networks' Unit 42 published a report on the Shadow Campaigns, tracking the activity as TGR-STA-1030 and assessing with high confidence that it originated from Asia based on tooling, language preferences, activity timing, and infrastructure links. The public report described a large-scale state-aligned cyberespionage campaign but did not name China.
Unit 42 documents ShadowGuard rootkit and campaign tooling
Researchers identified the campaign's toolset as including Cobalt Strike, VShell, web shells, tunneling utilities, and a Linux eBPF kernel rootkit called ShadowGuard used for stealth. These technical details were disclosed as part of public reporting on the operation.
Global espionage campaign compromises dozens of organizations
The operation, dubbed the Shadow Campaigns, was found to have compromised at least 70 organizations across 37 countries and conducted reconnaissance against government infrastructure in 155 countries. Victims included government and critical infrastructure organizations across multiple sectors and regions.
Actor expands to broad N-day vulnerability exploitation
Over time, the threat actor shifted from phishing to widespread exploitation of known vulnerabilities in products including SAP, Microsoft Exchange, D-Link, and Atlassian Crowd. Researchers found no evidence that the campaign relied on custom zero-days.
Shadow Campaigns begins with phishing-based intrusions
The espionage operation initially gained access by sending phishing lures impersonating government organizations, delivering the Diaoyu Loader and then Cobalt Strike with anti-analysis checks. This marked the early intrusion phase of the activity later tracked as TGR-STA-1030/UNC6619.
Sources
2 references tracked. Mallory keeps watching after this page renders.
teiss - News - Exclusive-Palo Alto chose not to tie China to hacking campaign for fear of retaliation from Beijing, sources say
teiss.co.uk
Open source“Shadow Campaigns” Show Evidence of Global Espionage Using ShadowGuard Rootkit
blog.polyswarm.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unit 42 Reports Asia-Based State-Aligned Espionage Campaign Compromising 37 Governments
Palo Alto Networks Unit 42 reported a large-scale cyberespionage operation, tracked as **TGR-STA-1030** and dubbed the **Shadow Campaigns**, assessing with high confidence the actor is **state-aligned and operating out of Asia**. Unit 42 documented compromises of government and critical infrastructure organizations across **37 countries** over roughly the past year, and observed **active reconnaissance** against government infrastructure associated with **155 countries** (notably during **November–December 2025**). The activity was characterized as unusually broad in scope, with Unit 42 describing it as among the most widespread compromises of global government infrastructure in years. The operation primarily targeted government ministries and departments, with confirmed compromises including national-level law enforcement/border control entities and ministries aligned to **finance, trade, natural resources, and diplomatic functions**; reporting also cited intrusions affecting national telecommunications companies, police agencies, counterterrorism departments, and multiple interior/foreign affairs-related bodies. Unit 42 stated it notified impacted entities via responsible disclosure and published technical details on the actor’s **phishing and exploitation techniques**, tooling, and infrastructure, along with **defensive indicators** intended to support detection and response; public reporting noted Unit 42 did not attribute the campaign to a specific country, while comparing its scale to other recent China-linked activity such as **Volt Typhoon** and **Salt Typhoon** in terms of strategic risk and potential long-term national security impact.
Mar 21, 2026
China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster **SHADOW-EARTH-053** compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the `ProxyLogon` chain, then deploying **GODZILLA** web shells and the **ShadowPad** backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption. Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via `EnumDesktopsA` callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as **IOX**, **GOST**, **Wstunnel**, **Sharp-SMBExec**, **Mimikatz**, and **Evil-CreateDump**. Trend Micro also identified overlap with a related cluster, **SHADOW-EARTH-054**, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
May 15, 2026
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
Mar 21, 2026