A highly advanced state-backed hacking group has been quietly breaking into government and critical infrastructure networks around the world, according to a new investigation by Palo Alto Networks Unit 42.
The long-running operation, known as Shadow Campaigns, has already affected dozens of organizations across 37 countries and shows signs of preparation for even wider activity.
Researchers say the threat actor has been active since at least January 2024 and is believed to be operating from Asia. While a final attribution has not yet been confirmed, the group is currently tracked as TGR-STA-1030 or UNC6619. Between November and December last year alone, the attackers successfully compromised at least 70 government and critical infrastructure entities. At the same time, they carried out large-scale scanning and reconnaissance linked to government systems in as many as 155 countries.
The targets were not chosen at random. Most of the compromised organizations were connected to sensitive areas such as government ministries, law enforcement, border control, immigration, finance, trade, energy, mining, and diplomatic services. Many of the victims were involved in trade policy, geopolitical decision-making, or election-related work.
Countries and Institutions Affected
Confirmed compromises include ministries in Brazil and Mexico, government systems in Panama and Venezuela, parliaments and ministries across several European countries, and key infrastructure providers in Taiwan. Multiple government departments in Malaysia were also breached, along with a Mongolian law enforcement agency and an Indonesian airline. In Africa, critical infrastructure entities in countries such as Nigeria, Ethiopia, Zambia, and the Democratic Republic of the Congo were affected.
The researchers also observed attempted access to systems linked to Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers. In addition to confirmed breaches, the group carried out extensive scanning against European Union infrastructure, targeting hundreds of systems connected to europa.eu domains. Germany was another major focus, with hundreds of government-hosted IP addresses scanned during mid 2025.
Timing played an important role in the campaign. During the US government shutdown in October 2025, the attackers sharply increased scanning activity across North, Central, and South America. In another case, they scanned more than 200 IP addresses linked to Honduras government infrastructure just weeks before a national election, at a moment when political leaders were publicly discussing restoring diplomatic relations with Taiwan. These patterns suggest the operation was closely tied to political and strategic events.
How the Attacks Worked
The attacks initially relied on carefully crafted phishing emails sent to government officials. These messages often mentioned internal ministry reorganizations to appear legitimate and urgent. Victims were directed to download archive files hosted on Mega.nz, which contained a malware loader known as Diaoyu. Inside the archive was also a zero-byte image file used as a simple but effective check to ensure the malware was running in the intended environment. If certain conditions were not met, the malware would shut down immediately to avoid detection.
When active, the loader could deploy well-known hacking tools such as Cobalt Strike and the VShell framework for command and control. It also checked for the presence of popular security software and stopped execution if it detected them. Beyond phishing, the group exploited at least 15 known vulnerabilities in widely used technologies, including Microsoft Exchange Server, Microsoft Windows, SAP Solution Manager, and D Link devices.
One of the most concerning discoveries was a custom Linux kernel rootkit called ShadowGuard. This malware operates inside the kernel using eBPF technology, making it extremely difficult to detect. It can hide malicious processes from system monitoring tools, conceal files and directories, and manipulate system data before security software can see what is really happening. Researchers believe this rootkit is unique to this threat actor and shows a high level of technical skill.
Deceptive Infrastructure and Familiar Domains
The infrastructure behind Shadow Campaigns used legitimate virtual private servers in countries such as the United States, Singapore, and the United Kingdom, along with relay servers, residential proxies, and Tor to hide the true origin of the attacks. The group also registered domains designed to look familiar to their targets, including government-style domain names that blended into local environments.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
According to Unit 42, TGR-STA-1030 represents a mature cyber espionage operation focused on collecting political, economic, and strategic intelligence rather than causing immediate disruption. With dozens of governments already affected and scanning activity continuing worldwide, the campaign highlights how vulnerable even high-level state institutions remain. To help defenders respond, the researchers have published indicators of compromise that organizations can use to detect and block related attacks.
