English Threat Research Center Threat Actor Groups Nation-State Cyberattacks NATION-STATE CYBERATTACKS The Shadow Campaigns: Uncovering Global Espionage 19 min read RELATED PRODUCTS Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Unit 42 Published: February 5, 2026 Categories: Nation-State Cyberattacks Threat Actor Groups Tags: Asia Espionage Government Phishing TGR-STA-1030 Share Executive Summary This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries. This group primarily targets government ministries and departments. For example, the group has successfully compromised: Five national-level law enforcement/border control entities Three ministries of finance and various other government ministries Departments globally that align with economic, trade, natural resources and diplomatic functions Given the scale of compromise and the significance of these organizations, we have notified impacted entities and offered them assistance through responsible disclosure protocols. Here we describe the technical sophistication of the actors, including the phishing and exploitation techniques, tooling and infrastructure used by the group. We provide defensive indicators to include infrastructure that is active at the time of this publication. Further, we explore an in-depth look at victimology by region with the intent of demonstrating the suspected motivations of the group. The results indicate that this group prioritizes efforts against countries that have established or are exploring certain economic partnerships. Additionally, we have also pre-shared these indicators with industry peers to ensure robust cross-industry defenses against this threat actor. Palo Alto Networks customers are better protected from the threats described in this article through products and services, including: Advanced URL Filtering and Advanced DNS Security Advanced WildFire Advanced Threat Prevention Cortex XDR and XSIAM If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Related Unit 42 Topics Asia, Phishing Actor Introduction Unit 42 first identified TGR-STA-1030 (aka UNC6619) upon investigating a cluster of malicious phishing campaigns (referred to here as the Shadow Campaigns) targeting European governments in early 2025. We use the prefix TGR-STA as a placeholder to denote a temporary group of state-aligned activity while we continue to refine attribution to a specific organization. Since our initial investigation, we have identified actor infrastructure dating as far back as January 2024, suggesting that the group has been active for at least two years. Over the past year, we have monitored the evolution and expansion of the group as it has compromised: Five national-level law enforcement/border control entities Three ministries of finance and various other government ministries Departments globally that align with economic, trade, natural resources and diplomatic functions We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. We base this assessment on the following findings: Frequent use of regional tooling and services Language setting preferences Targeting and timing that routinely align with events and intelligence of interest to the region Upstream connections to operational infrastructure originating from the region Actor activity routinely aligning with GMT+8 Additionally, we found that one of the attackers uses the handle “JackMa,” which could refer to the billionaire businessman and philanthropist who co-founded Alibaba Group and Yunfeng Capital. Phishing In February 2025, Unit 42 investigated a cluster of malicious phishing campaigns targeting European governments. These campaigns followed a pattern of being sent to government email recipients with a lure of a ministry or department reorganization and links to malicious files hosted on mega[.]nz. Figure 1 below shows an example. Figure 1. Example phishing email (translated). Clicking on the link downloads an archive file with language and naming that is consistent with the targeted country and ministry. We assess that an Estonian government entity identified the campaign and uploaded one such ZIP archive to a public malware repository. In this case, the Estonian filename was: Politsei- ja Piirivalveameti organisatsiooni struktuuri muudatused.zip This translates to Changes to the organizational structure of the Police and Border Guard Board.zip Diaoyu Loader Analyzing the archive, we found that the contents were last modified on Feb. 14, 2025. Further, the archive itself contains an executable file containing an identical name as the ZIP and a zero-byte file named pic1.png. Reviewing the executable metadata, we found that the file version is presented as 2025,2,13,0, suggesting that the file was likely created one day prior, on Feb. 13. This date also corresponds to the PE compile timestamp. Additionally, the metadata shows that the file’s original name was DiaoYu.exe. The term Diaoyu translates to fishing, or phishing in a cybersecurity context. The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis. Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory. In this context, pic1.png acts as a file-based integrity check. If the malware sample is submitted to a sandbox in isolation, the absence of this auxiliary file causes the process to terminate gracefully before detonation, effectively masking its malicious behavior. Only upon satisfying these prerequisites does the malware proceed to audit the host for the following cybersecurity products: Avp.exe (Kaspersky) SentryEye.exe (Avira) EPSecurityService.exe (Bitdefender) SentinelUI.exe (Sentinel One) NortonSecurity.exe (Symantec) This narrow selection of products is interesting, and it is unclear why the actor chose to only look for these specific products. While various malware families commonly check for the presence of antivirus products, malware authors typically include a more comprehensive list that encompasses a variety of global providers. After checking for these products, the malware downloads the following files from GitHub: hxxps[:]//raw.githubusercontent[.]com/padeqav/WordPress/refs/heads/master/wp-includes/images/admin-bar-sprite[.]png hxxps[:]//raw.githubusercontent[.]com/padeqav/WordPress/refs/heads/master/wp-includes/images/Linux[.]jpg hxxps[:]//raw.githubusercontent[.]com/padeqav/WordPress/refs/heads/master/wp-includes/images/Windows[.]jpg It should be noted that the padeqav GitHub project is no longer available. Finally, the malware performs a series of actions on these files that ultimately result in the installation of a Cobalt Strike payload. Exploitation In addition to phishing campaigns, the group often couples exploitation attempts with their reconnaissance activities to gain initial access to target networks. To date, we have not observed the group developing, testing or deploying any zero-day exploits. However, we assess that the group is comfortable testing and deploying a wide range of common tools, exploitation kits and proof-of-concept code for N-day exploits. For example, over the past year, our Advanced Threat Prevention service has detected and blocked attempts by the group to exploit the following types of vulnerabilities: SAP Solution Manager privilege escalation vulnerability Pivotal Spring Data Commons remote file read XXE vulnerability Microsoft Open Management Infrastructure remote code execution vulnerability Microsoft Exchange Server remote code execution vulnerability D-Link remote code execution vulnerability HTTP directory traversal request attempt HTTP SQL injection attempt Struts2 OGNL remote code execution vulnerability Ruijieyi Networks remote command execution vulnerability Eyou Email System remote command execution vulnerability Beijing Grandview Century eHR Software SQL injection vulnerability Weaver Ecology-OA remote code execution vulnerability Microsoft Windows win.ini access attempt detected Commvault CommCell CVSearchService download file authentication bypass vulnerability Zhiyuan OA remote code execution vulnerability On one occasion, we observed the actor connecting to e-passport and e-visa services associated with a ministry of foreign affairs. Because the server for these services was configured with Atlassian Crowd software, the actor attempted to exploit CVE-2019-11580, uploading a payload named rce.jar. The code included in the payload was similar to the description of code from another analysis of CVE-2019-11580 provided by Anquanke. Tooling We assess that the group relies heavily on a mix of command-and–control (C2) frameworks and tools common to the actors’ region to move laterally and maintain persistent access within compromised environments. C2 Frameworks From 2024 through early 2025, we observed the group commonly deploying Cobalt Strike payloads. However, over time the group slowly transitioned to VShell as its tool of choice. VShell is a Go-based C2 framework. The group often configures its web access on 5-digit ephemeral TCP port