Threat Group Running Espionage Operations Against Dozens of Governments
A sophisticated nation-state threat group likely operating out of Asia is running a vast cyberespionage campaign that has compromised government and critical infrastructure organizations in three dozen countries and was seen ramping up its activities in the last two months of 2025, according to Palo Alto Networks’ Unit 42 threat intelligence unit.
Unit 42 researchers are tracking the hackers as TGR-STA-1030 and are referring to their activity as the Shadow Campaigns. They’ve traced the group’s infrastructure back to at least January 2024 and over the past year have seen it compromise five national-level law enforcement and border control entities, three ministries of finance and other government ministries, and other departments around the world that include economic, trade, natural resources and diplomatic functions.
The attacks have stretched over 37 countries, and between November and December 2025, the threat group was seen running reconnaissance against government infrastructures for 155 countries.
“TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide,” the researchers wrote in a report this week. “The group primarily targets government ministries and departments for espionage purposes. We assess that it prioritizes efforts against countries that have established or are exploring certain economic partnerships.”
A Threat from Asia
They believe the threat group is aligned with a nation-state in Asia based on the language setting preferences, frequent use of tools and services from the region, and upstream connections to operational infrastructure from the region.
In addition, the group’s targets and the timing of attacks tend to align with events and intelligence that are of interest to the region and its operations align with a time zone in Asia. One of the attackers also uses “JackMa” as a handle, which may refer to Jack Ma, who co-founded the massive Chinese tech conglomerate and Yunfeng Capital, a private equity firm based in Shanghai, China.
Phishing, Vulnerability Exploitation
Unit 42 picked up on TGR-STA-1030’s activities in February 2025 when it detected a cluster of phishing campaigns targeting European governments, with the malicious messages being sent to government email addresses, referencing a ministry or department reorganization, and linking to malicious files.
Clicking on the link led to the deployment of a loader called Daioyu that shuts down sandbox analysis and installs a Cobalt Strike payload.
“In addition to phishing campaigns, the group often couples exploitation attempts with their reconnaissance activities to gain initial access to target networks,” the researchers wrote. “To date, we have not observed the group developing, testing or deploying any zero-day exploits. However, we assess that the group is comfortable testing and deploying a wide range of common tools, exploitation kits and proof-of-concept code for N-day exploits.”
Unit 42 listed more than a dozen vulnerabilities the group has tried to exploit, including some linked to Microsoft, SAP, D-Link, Apache’s Struts 2 project, and Commvault, along with others involving companies in Asia. The threat actors were detected once connecting to e-passport and e-visa services associated with a ministry of foreign affairs.
A Well-Armed Group
Tools used by TGR-STA-1030 include several command-and-control (C2) frameworks, including VShell, Havoc, SparkRat, and Sliver, web shells like Behinder, Neo-reGeorg, and Godzilla to maintain access and move laterally through compromised networks, and tunnels – GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX – in both the C2 infrastructure and compromised networks.
The threat group also uses ShadowGuard, a new Linux kernel rootkit identified by Unit 42. The backdoor uses Extended Berkeley Packet Filter (eBPF) to conceal its activities at the kernel level, including hiding process details. It intercepts critical system calls by using custom kills signals to identify the processes to hide, includes a hard-coded check concerning directories and files named “swsecret,” and has an allow list mechanism so that processes on the list are excluded and are unaffected by the hiding function.
To run its operations, TGR-STA-1030 runs and configures the C2 server on leased infrastructure from legitimate virtual private server (VPS) providers, which differentiates it from similar bad actors that use bulletproof providers or infrastructure in obscure locations. They usually choose virtual servers in the United States, the UK, and Singapore to make the infrastructure look more legitimate and to make it more difficult for agencies in the regions to investigate the group, given the need for cross-agency cooperation.
The group leases other VPS infrastructure to relay its network traffic and proxies to make connections anonymous to the relay infrastructure.
A Narrow Focus
“Given the expansive nature of the activity, some analysts might wrongly assume that the group simply launches broad scans across the entire IPv4 … but that is not the case,” the investigators wrote. “Based on our observation, the group focuses its scanning narrowly on government infrastructure and specific targets of interest across each country. The group’s reconnaissance efforts shed light on its global interests.”
In its efforts, the threat group not only attacked countries’ various ministries, but also compromised one nation’s parliament and a senior elected official of another. National-level telcos as well as national police and counter-terrorism organizations were targeted.
Several of the campaigns correlate with events happening in particular regions, with the U.S. government shutdown last fall drawing the group’s attention to countries in the Western Hemisphere or a nationwide election in Honduras in October 2025, where both candidates were open to resuming diplomatic relations with Taiwan.
No region seems out of bounds, with other attacks reaching countries in Europe, Asia, and Africa.
“While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services,” the researchers wrote.
