Asian APT Campaign Breaches 70 Critical Infrastructure Organizations Across 37 Countries

A state-aligned cyberespionage group operating out of Asia has compromised at least 70 government and critical infrastructure organizations in 37 countries over the past year—and they're just getting started.

Executive Summary

In what security researchers are calling one of the most expansive nation-state espionage campaigns exposed in recent years, Palo Alto Networks' Unit 42 has unveiled "The Shadow Campaigns"—a systematic intrusion operation conducted by a newly identified threat actor tracked as TGR-STA-1030.

The numbers are staggering: 70 confirmed organizational compromises across 37 countries, with attackers maintaining persistent access to several victims for months at a time. Between November and December 2025 alone, the group conducted active reconnaissance against government infrastructure in 155 countries—representing nearly 80% of all nations on Earth.

"While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services," the Unit 42 researchers warned in their comprehensive report published this week.

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed awareness of TGR-STA-1030, stating they are "working with government, industry, and international partners to rapidly detect and mitigate any exploitation of the vulnerabilities identified in the report."

For CISOs defending government networks, critical infrastructure, and organizations with strategic economic value, this threat actor represents an immediate and ongoing risk requiring urgent attention.

Understanding TGR-STA-1030: The Shadow Campaigns Actor

Attribution and Origins

Unit 42 first identified TGR-STA-1030 in February 2025 while investigating a cluster of phishing campaigns targeting European governments. The researchers assess with "high confidence" that the group is state-aligned and operates out of Asia, basing this conclusion on multiple converging indicators:

• Regional Tooling Preferences: Consistent use of tools and frameworks popular in Asia, including VShell, a Go-based command-and-control framework
• Language Settings: Metadata and configuration files revealing Asian language preferences
• Operational Timing: Activity patterns consistently aligning with GMT+8 timezone operations
• Targeting Alignment: Operations correlating with geopolitical events and intelligence priorities of interest to Asian nation-states
• Infrastructure Origins: Upstream connections traced to IP addresses belonging to AS 9808, owned by an internet service provider in the threat actor's region

While Palo Alto Networks stopped short of attributing the activity to a specific country, multiple characteristics align closely with objectives associated with the Chinese government. Notably, researchers discovered that one of the attackers uses the handle "JackMa"—a reference to the billionaire businessman who co-founded Alibaba Group.

The group's infrastructure dates back to January 2024, suggesting at least two years of active operations. However, the dramatic expansion in scope and sophistication observed in 2025 indicates a significant scaling of resources and ambition.

The Victim Profile: Who's Being Targeted

The confirmed victim list reads like a strategic intelligence collection priority matrix. TGR-STA-1030 has successfully compromised:

Government Institutions:

• Five national-level law enforcement and border control entities
• Three ministries of finance
• One nation's parliament
• A senior elected official of another nation
• Ministries and departments of interior, foreign affairs, trade, economy, immigration, mining, justice, and energy across dozens of countries

Critical Infrastructure:

• National telecommunications companies in multiple countries
• A major supplier in Taiwan's power equipment industry
• Energy sector organizations in countries with significant rare earth mineral reserves

Strategic Economic Targets:

• Organizations involved in trade negotiations
• Entities managing natural resources and mining operations
• Companies in the aviation sector during sensitive procurement decisions

The targeting pattern reveals a clear intelligence collection focus on rare earth minerals, international trade agreements, economic partnerships, and geopolitical relationships—particularly those involving Taiwan and Western nations.

Technical Analysis: Attack Vectors and Tooling

Initial Access: Phishing and Exploitation

TGR-STA-1030 employs a dual-pronged approach to gaining initial network access: sophisticated spear-phishing campaigns and exploitation of known vulnerabilities.

The Phishing Approach

The group's phishing campaigns demonstrate careful preparation and localization. In the February 2025 European campaign, attackers sent emails impersonating official ministry communications about organizational restructuring. Each message was crafted in the target country's native language with convincing bureaucratic framing.

One example preserved by Estonian security officials was titled "Changes to the organizational structure of the Police and Border Guard Board"—a mundane-sounding administrative notice designed to trigger routine clicks from government employees.

These emails contained links to malicious files hosted on mega[.]nz, delivering a custom malware loader that Unit 42 has dubbed "Diaoyu"—the Chinese word for fishing (or phishing in cybersecurity context).

The Diaoyu Loader

Diaoyu demonstrates sophisticated anti-analysis techniques:

1. Hardware Resolution Check: The malware only executes if the screen resolution is 1440 pixels or greater horizontally, filtering out most automated sandboxes
2. File Dependency Check: Requires the presence of a companion file (pic1.png) in the execution directory—a simple but effective sandbox evasion technique
3. Selective AV Detection: Checks for only five specific security products: Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec

This narrow selection of antivirus targets is unusual. Most malware checks for dozens of security products. The limited scope may indicate the group has specific intelligence about their targets' security deployments or is attempting to minimize code footprint for evasion purposes.

After passing these checks, Diaoyu downloads additional payloads from GitHub repositories, ultimately deploying Cobalt Strike beacons for command-and-control.

Exploitation Activity

For organizations that prove resistant to phishing, TGR-STA-1030 maintains an extensive exploitation capability. While the group has not been observed using zero-day vulnerabilities, they aggressively deploy exploits for known (N-day) vulnerabilities across a remarkable range of products:

• Enterprise Software: SAP Solution Manager, Atlassian Crowd (CVE-2019-11580), Commvault CommCell
• Microsoft Products: Exchange Server, Open Management Infrastructure, Windows win.ini access
• Web Frameworks: Struts2 OGNL, Pivotal Spring Data Commons
• Regional Software: Eyou Email System, Beijing Grandview Century eHR, Weaver Ecology-OA, Zhiyuan OA, Ruijieyi Networks
• Network Devices: D-Link routers
• Generic Attacks: HTTP directory traversal, SQL injection

The targeting of regional Chinese software products (Weaver, Zhiyuan, Ruijieyi) alongside Western enterprise applications suggests the group maintains separate toolkits for different geographic targets.

Post-Exploitation: Maintaining Persistent Access

Once inside target networks, TGR-STA-1030 deploys a sophisticated arsenal of tools to maintain access and move laterally.

Command-and-Control Frameworks

The group has evolved its C2 preferences over time:

• 2024-Early 2025: Primarily Cobalt Strike
• Mid-2025 Onward: Transition to VShell, a Go-based C2 framework
• Supplementary Tools: Havoc, SparkRat, and Sliver with varying degrees of success

VShell, documented extensively in NVISO research, configures web access on 5-digit ephemeral TCP ports using ordered numbers—a distinctive operational signature.

Web Shells

The three most commonly deployed web shells are:

• Behinder: A Java-based encrypted web shell popular in Asian APT operations
• Neo-reGeorg: A tunnel-based web shell for traffic forwarding
• Godzilla: An encrypted web shell with extensive post-exploitation capabilities

Notably, the group has been observed obfuscating Godzilla web shells using code from the Tas9er GitHub project, which creates functions and strings with names like "Baidu" and adds explicit messages to governments—a brazen signature.

ShadowGuard: A New Linux Rootkit

Perhaps the most concerning discovery is ShadowGuard—a novel Linux kernel rootkit unique to TGR-STA-1030. This Extended Berkeley Packet Filter (eBPF) backdoor represents an escalation in sophistication.

eBPF backdoors are notoriously difficult to detect because they:

• Operate entirely within the highly trusted kernel space
• Don't appear as separate kernel modules
• Execute inside the kernel's BPF virtual machine
• Can manipulate core system functions before security tools see the true data

ShadowGuard provides:

• Process Hiding: Conceals up to 32 processes simultaneously from standard tools like ps aux
• File/Directory Hiding: Automatically conceals anything named "swsecret"
• Allow-listing: Excludes specified processes from hiding functionality

The command structure uses custom kill signals (-900 to add PIDs to allow list, -901 to remove), enabling stealthy management of hidden processes.

Tunneling Infrastructure

For network traversal and data exfiltration, the group employs:

• GO Simple Tunnel (GOST): Multi-purpose proxy and tunnel
• Fast Reverse Proxy Server (FRPS): For reverse proxy connections
• IOX: Network traffic tunneling

Infrastructure: The Multi-Tiered Anonymization Approach

Victim-Facing Servers

Unlike many nation-state groups that favor bulletproof hosting in jurisdictions resistant to takedowns, TGR-STA-1030 prefers VPS infrastructure in countries with strong rule of law: the United States, United Kingdom, and Singapore.

This strategic choice likely serves multiple purposes:

1. Infrastructure appears more legitimate to network defenders
2. Enables low-latency connections across Americas, Europe, and Southeast Asia
3. Complicates investigation by requiring cross-agency international cooperation

Relay and Proxy Layers

Between operational infrastructure and C2 servers, the group maintains:

• Relay VPS: Configured with SSH (port 22 or high ephemeral ports) and sometimes RDP (port 3389)
• Proxy Services: Including DataImpulse residential proxies, Tor network, and other anonymization services

Operational Security Failures

Despite sophisticated infrastructure design, the group has made mistakes. When tunnels collapse or operators forget to establish connections, researchers have observed direct connections from upstream infrastructure belonging to AS 9808—an internet service provider in the threat actor's home region.

These errors have been crucial in establishing attribution confidence.

Notable Domains

The group registers domains across .me, .live, .help, and .tech TLDs:

• gouvn[.]me: Targeting Francophone countries (mimicking "gouv" government domains)
• dog3rj[.]tech: Targeting European nations (possibly referencing "DOGE Jr")
• zamstats[.]me: Specifically targeting Zambian government

Global Targeting Analysis: Following the Money and Power

The Reconnaissance Scale

Between November and December 2025, TGR-STA-1030 conducted reconnaissance against government infrastructure in 155 countries. This isn't random scanning—the group focuses narrowly on government systems and specific targets of interest within each country.

The timing correlations with geopolitical events reveal intelligence collection priorities.

Americas: Exploiting the US Government Shutdown

During the October 2025 US government shutdown, TGR-STA-1030 dramatically increased operations across the Western Hemisphere, scanning government infrastructure in Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago.

Honduras: On October 31, 2025—exactly 30 days before the national election where both candidates signaled openness to restoring diplomatic relations with Taiwan—the group initiated connections to at least 200 Honduran government IP addresses in one of their most intensive reconnaissance periods on record.

Bolivia: The group likely compromised a Bolivian mining-related entity. In July 2025, presidential candidate Jorge Quiroga pledged to scrap multi-billion-dollar mining deals with two Asian nations—placing Bolivia's rare earth negotiations in the crosshairs.

Brazil: Confirmed compromise of Brazil's Ministry of Mines and Energy. Brazil holds the world's second-largest rare earth mineral reserves, and exports tripled in the first half of 2025 as the US seeks alternatives to Asian supplies.

Mexico: Two ministries compromised, with activity correlating to tariff investigations. Malicious network traffic appeared within 24 hours of Mexico News Daily reporting on new tariff plans.

Venezuela: Following the January 3, 2026 capture of President Nicolás Maduro, the group conducted "extensive reconnaissance activities targeting at least 140 government-owned IP addresses."

Europe: Tracking Diplomatic Relationships

Czech Republic: When President Petr Pavel met privately with the Dalai Lama during an August 2025 India trip, TGR-STA-1030 immediately began scanning Czech infrastructure—the army, police, parliament, presidency, and ministries of interior, finance, and foreign affairs.

Germany: In July 2025, the group initiated connections to over 490 IP addresses hosting German government infrastructure in a "concerted focus" on Europe's largest economy.

Greece: The Syzefxis Project, designed to improve public services through faster internet connections, was compromised.

Asia-Pacific: Protecting Regional Interests

Mongolia: A police agency was breached shortly before Mongolia's justice minister met with an Asian counterpart.

Taiwan: A major supplier in Taiwan's power equipment industry was compromised.

Indonesia: While an Indonesian airline negotiated purchasing aircraft from a US manufacturer, attackers breached the airline's networks. During the same period, a "competing interest was actively promoting aircraft from a manufacturer based in Southeast Asia."

Intelligence Collection Priorities

The targeting pattern reveals clear strategic intelligence collection goals:

Rare Earth Minerals

With confirmed compromises of Brazil's energy ministry and Bolivian mining entities, plus targeting that correlates with international mining negotiations, rare earth mineral supply chain intelligence is clearly a priority. This aligns with broader economic competition for critical materials essential to electronics, renewable energy, and defense applications.

Trade Agreements and Economic Partnerships

The timing of operations against Mexico during tariff discussions, and the targeting of organizations involved in economic negotiations, indicates systematic collection on international trade positioning.

Taiwan-Related Diplomacy

The Honduras reconnaissance before Taiwan-leaning elections, Czech targeting after Dalai Lama meetings, and Taiwanese infrastructure compromises all point to intelligence collection supporting diplomatic isolation efforts.

Critical Infrastructure Mapping

The compromise of national telecommunications providers and power equipment suppliers suggests preparations for potential future operations beyond espionage—though current activity appears focused on intelligence gathering.

Data Exfiltration: What's Being Stolen

While Palo Alto Networks provided limited details on exfiltrated data, Pete Renals, Unit 42 Director of National Security Programs, confirmed to The Register that the threat actor "successfully accessed and exfiltrated sensitive data from victim email servers."

The stolen intelligence includes:

• Financial negotiations and contracts
• Banking and account information
• Critical military-related operational updates

For government targets, this represents precisely the type of diplomatic and strategic intelligence that informs policy decisions and provides negotiating advantages.

Defensive Recommendations for CISOs

Immediate Actions (24-72 Hours)

1. Indicators of Compromise Review: Ingest the IOCs published in Unit 42's report into security monitoring systems. Key indicators include:
   • IP addresses associated with AS 9808
   • Domains: gouvn[.]me, dog3rj[.]tech, zamstats[.]me, 888910[.]xyz
   • File hashes for Diaoyu loader, ShadowGuard rootkit, and associated payloads
2. eBPF Monitoring: ShadowGuard leverages eBPF for kernel-level concealment. Implement eBPF program auditing where available. Monitor for:
   • Unexpected eBPF program loads
   • Kill signals -900 and -901
   • Directories or files named "swsecret"
3. External-Facing Web Server Audit: The group heavily deploys web shells. Review all external and internal web servers for:
   • Behinder, Neo-reGeorg, and Godzilla signatures
   • Unexpected JSP, ASPX, or PHP files
   • Obfuscated code containing "Baidu" strings (Tas9er obfuscation)
4. VPN and High-Port Traffic Analysis: VShell typically uses 5-digit ephemeral TCP ports. Review traffic patterns for unusual high-port communications.

Short-Term Actions (1-4 Weeks)

1. Patch Priority Reassessment: The group exploits a wide range of N-day vulnerabilities. Prioritize patches for:
   • Microsoft Exchange Server
   • SAP Solution Manager
   • Atlassian products
   • Any Chinese software in your environment (Weaver, Zhiyuan, Eyou)
2. Email Security Enhancement: The Diaoyu loader requires user interaction. Strengthen:
   • Link protection for mega[.]nz and similar file-sharing services
   • Attachment sandboxing with extended analysis times
   • User training on organizational change impersonation lures
3. GitHub Repository Monitoring: The group has used GitHub for payload hosting. Monitor and block access to suspicious repositories, particularly those masquerading as WordPress plugins.

Long-Term Defensive Posture

1. Geopolitical Event Monitoring: This group correlates operations with news events. Establish processes to heighten security posture around:
   • Trade negotiations
   • Diplomatic meetings
   • Elections involving Taiwan-related policy positions
   • Natural resource agreements
2. Critical Infrastructure Sector Collaboration: If you operate in government, telecommunications, energy, or mining sectors, engage with sector-specific ISACs and CISA for threat intelligence sharing.
3. Linux Rootkit Detection Capabilities: ShadowGuard represents an escalation in Linux threat sophistication. Evaluate tools capable of detecting eBPF-based rootkits and kernel-level tampering.

The Bigger Picture: Scale and Implications

The Shadow Campaigns represent a concerning evolution in nation-state cyber operations. Several aspects stand out:

Unprecedented Scale

Compromising 70 organizations across 37 countries in a single year—with reconnaissance against 155 nations—demonstrates operational capacity and ambition that rivals or exceeds previously documented campaigns.

Strategic Patience

Maintaining access to compromised organizations for months indicates sophisticated tradecraft and intelligence collection discipline rather than smash-and-grab operations.

Global Reach

The targeting spans every inhabited continent, with confirmed compromises in the Americas, Europe, Africa, and Asia-Pacific. No region with strategic value appears exempt.

Intelligence Integration

The tight correlation between real-world geopolitical events and cyber operations suggests seamless integration between intelligence requirements and cyber capabilities—a hallmark of mature nation-state programs.

For CISOs, the message is clear: if your organization has any involvement in international trade, natural resources, diplomatic relationships, or critical infrastructure—particularly with any Taiwan-related dimensions—you should assume you're a target.

The Shadow Campaigns aren't finished. They're just getting started.

Indicators of Compromise

Domains:

• gouvn[.]me
• dog3rj[.]tech
• zamstats[.]me
• 888910[.]xyz

Notable File Hashes:

• Diaoyu Loader: 23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe
• ShadowGuard Rootkit: 7808B1E01EA790548B472026AC783C73A033BB90BBE548BF3006ABFBCB48C52D
• CVE-2019-11580 Payload (rce.jar): 9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4
• Phishing Archive: 66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0

Infrastructure Indicators:

• Connections from AS 9808 (China Mobile Communications Group)
• VShell C2 on 5-digit ephemeral TCP ports with ordered numbers
• SSH on high ephemeral ports
• RDP on port 3389 from relay infrastructure

MITRE ATT&CK Mapping:

• T1566.001: Spear-Phishing with Attachment
• T1190: Exploit Public-Facing Application
• T1027: Obfuscated Files or Information
• T1071: Application Layer Protocol (GitHub for payload delivery)
• T1505.003: Web Shell
• T1014: Rootkit (ShadowGuard eBPF)
• T1090: Proxy (GOST, FRPS, IOX)

Sources and References

• Palo Alto Networks Unit 42: "The Shadow Campaigns: Uncovering Global Espionage"
• US Cybersecurity and Infrastructure Security Agency (CISA)
• NVISO VShell Research Report
• Anquanke CVE-2019-11580 Analysis

For organizations that believe they may have been compromised by TGR-STA-1030, Palo Alto Networks' Unit 42 Incident Response team is available for assistance. CISA's resources for critical infrastructure protection are also available at cisa.gov.