“Shadow Campaigns” Show Evidence of Global Espionage Using ShadowGuard Rootkit

SHADOWCAMPAIGN2026

Verticals Targeted: Government, Telecommunications, Finance, Aerospace
Regions Targeted: North America, South America, Africa, Europe, Asia
Related Families: Diaoyu Loader, ShadowGuard, Cobalt Strike, VShell

Executive Summary

A sophisticated state-aligned cyberespionage operation attributed to TGR-STA-1030 (also tracked as UNC6619) has been discovered, operating from Asia. It has compromised government and critical infrastructure entities across 37 countries over the past year while conducting reconnaissance against government infrastructure in 155 countries. The group's “Shadow Campaigns” leverage phishing, N-day exploitations, and advanced tooling to prioritize intelligence collection on economic partnerships, trade, and diplomatic activities.

Key Takeaways

Initial access occurs via phishing lures impersonating government organizations, delivering Diaoyu Loader, which deploys Cobalt Strike and employs anti-sandbox techniques including resolution and file checks.
In the campaign, the threat actors leveraged a variety of tools including Cobalt Strike, VShell, web shells, tunneling tools, and the unique Linux eBPF rootkit ShadowGuard for kernel-level stealth.
The campaign relies on broad exploitation of N-day vulnerabilities across multiple products including SAP, Microsoft Exchange, D-Link, and others.
High-confidence assessment by Palo Alto’s Unit 42 researchers links TGR-STA-1030 to Asia based on tooling, language preferences, timing aligned with GMT+8, and upstream infrastructure connections.

The Shadow Campaigns

The Shadow Campaigns, as named by Palo Alto’s Unit 42 researchers, represent an expansive and persistent cyberespionage effort by TGR-STA-1030, a state-aligned actor originating from Asia. Active since at least January 2024, the group initially surfaced in early 2025 through phishing operations targeting European government entities, using lures related to organizational restructuring to deliver malicious archives. These archives contained executables named to match the targeted entity, such as references to police and border guard structural changes.

The primary loader, internally named DiaoYu.exe (which means "fishing" or phishing), incorporates anti-analysis measures. It enforces a minimum horizontal screen resolution of 1440 pixels and requires the presence of a zero-byte file in the execution directory to proceed, terminating gracefully otherwise to evade sandbox environments. The malware audits for specific security products including Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec, before downloading decoy images from a now-removed GitHub repository, ultimately installing a Cobalt Strike payload.

While phishing formed the early attack vector, the group increasingly relies on exploitation for access. Observed attempts targeted known vulnerabilities in SAP Solution Manager, Pivotal Spring Data Commons, Microsoft Open Management Infrastructure, Microsoft Exchange Server, D-Link devices, Struts2, and others, including leveraging CVE-2019-11580 against Atlassian Crowd in foreign affairs ministry e-passport services. No evidence indicates custom zero-day development.

Tooling has evolved over time, shifting from Cobalt Strike in 2024-early 2025 to VShell, a Go-based C2 framework. Additional frameworks include Havoc, SparkRat, and Sliver. Web shells such as Behinder, Neo-reGeorg, and Godzilla support persistence and lateral movement, with some Godzilla variants obfuscated using code from the Tas9er project. Tunneling employs GOST, FRPS, and IOX.

A notable discovery is ShadowGuard, a Linux kernel rootkit utilizing eBPF technology. Operating within kernel space, it hides processes, conceals files/directories, and maintains an allow-list for exclusions. Its stealth stems from executing in the kernel's BPF virtual machine, bypassing conventional detection.

Infrastructure follows a multi-tiered model: victim-facing C2 on reputable VPS providers in the US, UK, and Singapore for legitimacy and latency; relays via SSH or RDP; anonymization through residential proxies, Tor, or others; upstream connections occasionally revealing AS9808 origins. Domains leverage TLDs like .me, .live, .help, and .tech.

Victimology centers on government entities tied to economic, trade, natural resources, and diplomatic functions. Reconnaissance narrowed to government infrastructure across 155 countries in late 2025, with compromises in at least 70 organizations across 37 countries. Activity correlates with real-world events, such as mining deals, trade probes, diplomatic meetings, elections, and resource competitions, particularly in regions involving rare earth minerals, international partnerships, and geopolitical alignments of interest to the actor's region.