State actor targets 155 countries in ‘Shadow Campaigns’ espionage op

Estimated reading time: 7 minutes

Key Takeaways:

  • Broad Reach: The TGR-STA-1030 threat group has conducted reconnaissance in 155 countries, successfully compromising entities in 37.
  • Advanced Toolkit: The operation utilizes ‘ShadowGuard’, a custom Linux eBPF rootkit that hides processes and files in the kernel space.
  • Negative-Day Exploits: Attackers are now monitoring GitHub commits to weaponize security patches before they are officially disclosed as CVEs.
  • Messaging App Risk: Phishing campaigns on Signal and WhatsApp are targeting high-profile individuals through “device linking” exploitation.

Table of Contents:

Technical analysis of recent global telemetry confirms that a sophisticated state-sponsored threat group has initiated a massive espionage operation. This activity, identified as ‘Shadow Campaigns’, has successfully compromised networks across at least 37 countries, with reconnaissance reaching entities in 155 countries. The actor, currently tracked by researchers as TGR-STA-1030 or UNC6619, is believed to operate out of Asia with a primary focus on strategic, political, and economic intelligence gathering.

The scale of this operation indicates a highly organized effort to infiltrate government ministries, critical infrastructure, and diplomatic agencies. Between November and December 2025, the actor intensified its scanning and infiltration efforts, particularly targeting entities associated with trade policy, elections, and national security. The group’s toolkit, which includes a unique Linux kernel rootkit and tailored malware loaders, demonstrates a high level of technical maturity. Organizations must integrate this data into their cyber threat intelligence platform to identify potential indicators of compromise (IoCs) within their own environments.

State actor targets 155 countries in ‘Shadow Campaigns’ espionage op: Technical Overview

The Shadow Campaigns operation is characterized by its broad geographical reach and surgical targeting of high-value government sectors. The following entities have been confirmed as compromised:

  • Americas: Brazil’s Ministry of Mines and Energy, Mexican government ministries, and infrastructure in Panama and Bolivia.
  • Europe: Government entities in Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia.
  • Asia-Pacific: The Australian Treasury Department, Taiwan’s power equipment industry, and ministries in Malaysia, Indonesia, and Thailand.
  • Africa: Critical infrastructure in Nigeria, Ethiopia, Namibia, and the Democratic Republic of the Congo.

Global cyber espionage attack map showing targeted countries

The timing of these attacks often aligns with significant geopolitical events. For instance, during the U.S. government shutdown in October 2025, the actor increased its scanning of North and South American infrastructure. Similarly, intensive reconnaissance was noted against the Government of Honduras 30 days prior to their national election. The group also targeted European Union infrastructure, scanning over 600 IP addresses hosting .europa.eu domains.

Shadow Campaigns attack chain

The initial access phase typically involves highly tailored phishing emails. These messages often reference internal ministry reorganizations to establish credibility. The emails contain links to malicious archives hosted on the Mega.nz storage service.

Inside these archives, the primary component is a malware loader named Diaoyu. The execution of Diaoyu is contingent upon several environment-based integrity checks designed to evade sandbox analysis:

  1. Resolution Check: The malware verifies if the horizontal screen resolution is 1440 pixels or greater.
  2. File Integrity Check: The loader searches for a zero-byte file named pic1.png in its execution directory. If this file is missing, the malware terminates.
  3. Security Software Detection: The loader scans for processes associated with Kaspersky, Bitdefender, SentinelOne, Avira, and Norton.

If the environment is deemed safe, Diaoyu fetches Cobalt Strike payloads or the VShell framework for command-and-control (C2) operations. Beyond phishing, TGR-STA-1030 has been observed exploiting 15 known vulnerabilities in systems including SAP Solution Manager, Microsoft Exchange Server, D-Link, and Microsoft Windows.

New Linux rootkit: ShadowGuard

A defining feature of the Shadow Campaigns is the deployment of a custom Linux kernel eBPF rootkit named ‘ShadowGuard’. Because eBPF (Extended Berkeley Packet Filter) operates within the kernel space, it allows the actor to intercept system calls and manipulate core functions before they reach user-space monitoring tools.

The use of eBPF-based backdoors represents a significant challenge for standard breach detection protocols, as the malicious activity occurs beneath the layer of visibility for most Endpoint Detection and Response (EDR) solutions.

ShadowGuard features several advanced capabilities:

  • Process Hiding: It can conceal up to 32 Process IDs (PIDs) from standard monitoring utilities like ps or top.
  • File Obfuscation: It automatically hides files and directories containing the string swsecret.
  • Selective Visibility: The operator can define specific processes that should remain visible to avoid triggering suspicion during manual system audits.

Geopolitical Espionage and Messaging App Exploitation

Parallel to the Shadow Campaigns, German security agencies (BfV and BSI) have issued warnings regarding targeted phishing attacks on the Signal messaging app. This campaign targets high-ranking politicians, military personnel, and investigative journalists.

The attack vector utilizes the “device linking” feature common in modern messengers. Attackers attempt to trick victims into scanning a QR code, which grants the threat actor full access to the account, including the last 45 days of message history. While currently focused on Signal, this methodology is equally applicable to WhatsApp. These operations are often attributed to Russian-aligned clusters such as Star Blizzard or UNC5792.

For organizations, this underscores the necessity of telegram threat monitoring and broader social media intelligence to detect impersonation attempts and credential harvesting targeting key personnel.

Recent research highlights a shift in the vulnerability lifecycle. The term “Negative-Day” refers to the window where a vulnerability is patched in a public code repository but has not yet been assigned a CVE or publicized through traditional channels.

Analysis of open-source projects shows that threat actors are monitoring GitHub commits to reverse-engineer security fixes immediately. In some cases, the time-to-exploit has become negative; exploitation begins based on patch analysis hours before the official CVE is indexed in major cyber threat intelligence feeds.

An example of this occurred with a command injection vulnerability in a Next.js canary release. A commit intended to fix path handling on Windows replaced execSync with execa. While intended as a fix, the public nature of the commit allowed for the rapid development of a proof of concept (PoC) before any official advisory was issued. This environment necessitates robust supply-chain risk monitoring to identify when dependencies have undergone silent security patches.

Operational Failures and Ransomware Outages

While state actors focus on espionage, the financial and payment sectors continue to face disruptions from both criminal activity and internal errors.

BridgePay Ransomware Incident

In February 2026, BridgePay Network Solutions confirmed a ransomware attack that resulted in a nationwide service outage. This incident impacted gateway APIs, virtual terminals, and hosted payment pages. Merchants across the U.S. were forced to revert to cash-only transactions. The recovery process emphasizes the need for real-time ransomware intelligence and a live ransomware API to provide early warning of similar infrastructure-level attacks.

Bithumb Operational Error

Conversely, the South Korean exchange Bithumb experienced a significant disruption due to an internal system configuration error rather than a hack. During a promotion, the system incorrectly credited 695 accounts with 2,000 Bitcoin each, totaling approximately $40 billion in misplaced assets. Although 99.7% of the funds were recovered within 35 minutes, the incident caused a 17% flash crash on the exchange. This highlights that internal controls are as critical as external defenses in maintaining market stability.

Actionable Takeaways for Engineering and Management

To defend against sophisticated actors like TGR-STA-1030 and the broader landscape of rapid exploitation, the following technical and operational measures are recommended:

For Technical Teams:

  • eBPF Monitoring: Implement specialized kernel-monitoring tools capable of detecting unauthorized eBPF program loads. Monitor for the bpf() syscall and inspect loaded programs for hooks into sys_getdents64.
  • Commit Monitoring: For organizations maintaining large codebases or critical dependencies, implement automated workflows to analyze commits for security-related keywords.
  • Vulnerability Management: Prioritize patching for the 15 vulnerabilities identified in the Shadow Campaigns, particularly those affecting SAP and Microsoft Exchange.
  • MFA and Device Linking: Enforce strict policies regarding messaging app usage on corporate devices. Disable or monitor device linking features.

For Business Leaders:

  • Supply Chain Visibility: Evaluate the security posture of third-party payment processors and software vendors.
  • Intelligence Integration: Transition from reactive to proactive defense by utilizing underground forum intelligence to identify if corporate credentials or data are being discussed.
  • Brand Protection: Deploy a brand leak alerting system to monitor for spoofed domains or social media accounts used in executive-targeted phishing.

Strategic Alignment with PurpleOps Services

PurpleOps provides the technical infrastructure and expertise required to navigate these complex threats. Our cyber threat intelligence platform integrates the latest IoCs from operations like the Shadow Campaigns, ensuring your SOC is equipped with real-time ransomware intelligence.

For organizations concerned about kernel-level threats and sophisticated espionage, our penetration testing and red team operations simulate the tactics used by TGR-STA-1030. This includes testing for eBPF rootkit persistence and tailored phishing evasions.

Furthermore, our dark web monitoring and underground forum intelligence services provide visibility into the reconnaissance phase of state-sponsored attacks, allowing for earlier intervention. We also offer specialized supply chain information security assessments to mitigate the risks posed by “negative-day” exploitation in open-source components.

The scale of the Shadow Campaigns suggests that traditional perimeter defense is insufficient. Comprehensive visibility across the kernel, the network, and the external threat landscape is necessary to maintain a resilient security posture.

To learn more about how our platform can protect your infrastructure from global espionage operations, visit our platform overview or explore our full range of cybersecurity services. For immediate assistance with ransomware protection or incident response, contact our team of analysts.

Frequently Asked Questions

What is the ‘Shadow Campaigns’ operation?
It is a large-scale, state-sponsored espionage operation conducted by TGR-STA-1030 (UNC6619) targeting 155 countries, primarily focusing on government, trade, and economic intelligence.

What makes the ShadowGuard rootkit so dangerous?
ShadowGuard uses Linux eBPF technology to operate within the kernel, allowing it to hide processes and files from standard security tools and system administrators.

What is a ‘Negative-Day’ vulnerability?
It is a vulnerability that has been fixed in a public code repository but has not yet been officially announced or assigned a CVE, giving attackers a window to exploit systems before users are aware a patch exists.

How are messaging apps like Signal being exploited?
Attackers use social engineering to trick users into scanning QR codes for “device linking,” which grants the attacker access to the victim’s account and message history.