Shadow Campaigns: Inside the Largest Government Hacking Operation Since SolarWinds — And Why the Attackers' Name Was Erased
When one of the world's largest cybersecurity companies uncovered the most significant state-sponsored hacking campaign in years, they knew exactly who was responsible. Then, according to sources, executives ordered the name removed from the report.
The Scale of Shadows
On February 5, 2026, Palo Alto Networks' elite Unit 42 threat intelligence team published a report that should have dominated global headlines for weeks. What they had uncovered was staggering: a coordinated cyberespionage operation that had successfully compromised more than 70 government and critical infrastructure organizations across 37 countries — while conducting reconnaissance against government networks in an additional 118 nations.
The campaign, which Unit 42 dubbed "The Shadow Campaigns," represented what their director of national security programs, Pete Renals, called "probably the most widespread and significant compromise of global government infrastructure by a state-sponsored group since SolarWinds."
That's not hyperbole. The SolarWinds compromise of 2020-2021 — where Russian intelligence infiltrated nine U.S. federal agencies and hundreds of private companies through a poisoned software update — remains the benchmark for catastrophic supply chain attacks. A campaign warranting SolarWinds-level comparison represents state-sponsored cyber aggression that should alarm every government, defense contractor, and critical infrastructure operator on the planet.
The victims read like a who's who of government power: five national-level law enforcement and border control agencies, three ministries of finance, one nation's parliament, and at least one senior elected official. Telecommunications companies, counterterrorism organizations, and immigration services all fell. The attackers exfiltrated financial negotiations, banking information, and what Unit 42 described as "critical military-related operational updates."
The threat group behind the operation — tracked internally as TGR-STA-1030 — demonstrated patience, sophistication, and resources that only major nation-states possess. They maintained persistent access to some victims for months, deploying a previously unknown Linux kernel rootkit called ShadowGuard that operates so deep in the kernel that traditional security tools can't see it.
And yet, when it came time to attribute the attack — to name the country responsible for the largest government hacking campaign since SolarWinds — Palo Alto's official report was strangely vague.
TGR-STA-1030, the company concluded, was "a state-aligned group that operates out of Asia."
Asia. A continent of 4.7 billion people. 48 countries. The attribution equivalent of describing a bank robber as "someone from Earth."
For seasoned threat intelligence analysts, the attribution was puzzling. Everything about the operation — the tools, the timing, the targets, the techniques — pointed to a single, obvious conclusion. Multiple external security researchers who reviewed the evidence reached the same verdict.
Then, one week later, Reuters dropped the bombshell that explained everything: Palo Alto had originally named the attacker. The first draft of the report explicitly linked the campaign to China. But according to two sources familiar with the matter, company executives ordered the attribution softened before publication.
The reason? Fear of retaliation from Beijing.
The Story Within the Story: When Commercial Interests Trump Public Safety
The Reuters exclusive, published February 12, 2026, revealed that an earlier draft of Unit 42's Shadow Campaigns report had directly attributed the operation to Chinese state-sponsored hackers. The final published version, however, described the attackers only as operating "out of Asia" — a significant dilution that, according to external analysts, would hamper defenders' ability to properly contextualize the threat.
The timing was damning. Just weeks before the report's publication, China had banned approximately 15 U.S. and Israeli cybersecurity companies, including Palo Alto Networks, from government procurement on national security grounds. Palo Alto maintains five offices in China — in Beijing, Shanghai, Guangzhou, and two other cities — and LinkedIn profiles indicate more than 70 self-identified employees work for the company in China.
Tom Hegel, a senior threat researcher at rival security firm SentinelOne, was blunt in his assessment when speaking to Reuters: "Our assessment is that this is part of a broader pattern of global campaigns linked to China that seek intelligence and persistent internal access to organizations of interest to Beijing."
The technical evidence supporting China attribution was overwhelming:
Operational timing: The attackers' activity consistently aligned with GMT+8, the Beijing timezone, with operations occurring during Chinese business hours.
Regional tooling: The campaign relied heavily on tools either developed for or popular within Chinese-speaking hacking communities, including VShell (a Go-based command-and-control framework documented extensively in Chinese-language intrusion forums), and web shells like Behinder and Godzilla that are hallmarks of Chinese APT operations.
Language artifacts: Metadata and configuration files contained Chinese language settings. The custom malware loader was internally named "DiaoYu.exe" — the Chinese word for "fishing" or "phishing," a revealing cultural fingerprint.
Infrastructure connections: Direct connections to the attackers' infrastructure were traced back to AS9808, the autonomous system operated by China Mobile Communications Corporation. While the attackers used elaborate anonymization chains, occasional operational failures revealed their true origin.
Target selection: The victims aligned precisely with Beijing's strategic interests, from countries hosting Dalai Lama meetings (anathema to the Chinese government) to nations with significant rare earth mineral deposits that China seeks to control.
Certificate evidence: An X.509 digital certificate for one of the campaign's command-and-control domains — gouvn[.]me, designed to mimic French government infrastructure — was briefly visible on a Tencent server in China before being removed.
One attacker even used the handle "JackMa" — the name of Alibaba's co-founder, one of the most famous businessmen in China.
And yet, none of this made it into Palo Alto's official attribution.
Nicole Hockin, Vice President at Palo Alto Networks, denied that commercial considerations influenced the attribution, calling suggestions of self-censorship "speculative and false." The company's official position was that "attribution is irrelevant" to the defensive value of the report.
But that position doesn't hold up to scrutiny. Attribution matters. Knowing that an attack originates from China rather than North Korea or Russia fundamentally changes an organization's threat model. It affects which sectors are most at risk, what future attack vectors to anticipate, and what intelligence-sharing relationships to prioritize. Stripping attribution from a threat report is like describing a disease outbreak without naming the pathogen — technically you've reported cases, but you've hobbled the response.
Thomas Rid, a professor at Johns Hopkins University who studies information operations and cybersecurity, offered context for why companies might make such decisions: "People have always taken risks by naming names. It was always unpleasant, and if you have people on the ground, like large companies do, that's an additional consideration. Are you putting your own people — your local staff — at risk?"
The concern is legitimate. Palo Alto's Chinese employees could theoretically face repercussions if the company publicly accused Beijing of orchestrating the largest government hacking campaign since SolarWinds. But the flip side is equally uncomfortable: if cybersecurity companies can be silenced by commercial retaliation threats, then the entire threat intelligence ecosystem — the shared knowledge defenders worldwide rely on — becomes compromised.
The Chinese embassy in Washington responded to Reuters' inquiries with standard language: China "opposes all forms of cyberattacks" and called attribution "a complex technical issue" requiring "sufficient evidence, rather than unfounded speculation."
In the intelligence community, this is known as a non-denial denial.
Inside the Shadow Campaigns: Technical Deep Dive Into State-Sponsored Tradecraft
The Shadow Campaigns represent a textbook example of nation-state cyberespionage: patient reconnaissance, targeted exploitation, and custom malware development executed with surgical precision. Understanding the attackers' tradecraft reveals both the depth of their capabilities and the challenges defenders face.
Initial Access Vectors: Spear-Phishing and N-Day Exploits
TGR-STA-1030 didn't waste resources on expensive zero-days. Instead, the group proved that patience and persistence achieve similar results at lower cost. They relied on two primary initial access vectors:
Spear-phishing campaigns provided the primary entry point. The attackers sent highly tailored emails to government officials using lures related to ministerial reorganizations or administrative changes — topics bureaucrats reliably click. Links directed victims to MEGA.nz, a legitimate file-sharing service, where they downloaded ZIP archives containing malicious payloads.
The customization level was exceptional. File names were localized to each target country and ministry. One sample targeting Estonia: "Changes to the organizational structure of the Police and Border Guard Board.zip" — in Estonian. This wasn't spray-and-pray phishing; this was targeted social engineering with native-language fluency.
N-day vulnerability exploitation provided the second vector. Rather than hoarding zero-days, the attackers maintained a library of public proof-of-concept exploits for known vulnerabilities and scanned for unpatched systems. Their exploit arsenal included:
| Vulnerability | Target Product | Attack Type |
|---|---|---|
| CVE-2019-11580 | Atlassian Crowd | Authentication Bypass |
| Multiple CVEs | Microsoft Exchange Server | Remote Code Execution |
| Undisclosed | SAP Solution Manager | Privilege Escalation |
| Undisclosed | Zhiyuan OA | Remote Code Execution |
| Undisclosed | Weaver Ecology-OA | Remote Code Execution |
| Undisclosed | D-Link Devices | Remote Code Execution |
The inclusion of Zhiyuan OA and Weaver Ecology-OA — Chinese office automation platforms popular in Asia — suggests the attackers tailored their toolkit to the software ecosystems of specific regions.
The Diaoyu Loader: Fishing for Victims
The campaign's custom malware included a sophisticated loader that Unit 42 dubbed "Diaoyu" based on its original executable name. The loader demonstrated a level of operational security designed to evade both automated analysis and manual reverse engineering.
Dual-stage sandbox evasion was the first line of defense. Before executing its payload, Diaoyu checks:
- Screen resolution: The malware requires a horizontal resolution of at least 1440 pixels. Most automated malware sandboxes run in lower-resolution virtual machines, so this simple check eliminates a significant portion of analysis attempts.
- File integrity verification: The loader looks for a zero-byte file named "pic1.png" in the same directory. This acts as a crude integrity check — the file would be present in the original delivery package but might be missing in isolated analysis environments.
Security product enumeration followed. The loader actively checks for running processes associated with major endpoint security vendors:
Avp.exe— KasperskySentryEye.exe— AviraEPSecurityService.exe— BitdefenderSentinelUI.exe— Sentinel OneNortonSecurity.exe— Symantec/Norton
The presence of specific security products would alter the loader's behavior — either evading detection or declining to execute entirely.
Once past these checks, the loader retrieved its payload from a GitHub repository (since removed) containing Cobalt Strike beacon configurations. Cobalt Strike, originally a legitimate penetration testing tool, has become one of the most common command-and-control frameworks used by nation-state attackers worldwide.
ShadowGuard: How eBPF Became an Invisible Rootkit
The most alarming technical finding in Unit 42's report is ShadowGuard — a previously undocumented Linux rootkit that represents a significant leap in stealth malware.
ShadowGuard weaponizes eBPF (Extended Berkeley Packet Filter), a legitimate Linux kernel technology designed for packet filtering and performance monitoring. By running inside the kernel's trusted execution environment, ShadowGuard achieves near-perfect invisibility to traditional security tools.
Why eBPF Makes Detection Nearly Impossible:
Traditional rootkits typically modify system binaries or hook system calls at the user-space level, where they can be detected by integrity monitoring tools or careful analysis. ShadowGuard operates entirely within the kernel's BPF virtual machine — a trusted execution environment that security tools rarely inspect.
The rootkit's capabilities include:
- Process hiding: ShadowGuard can conceal up to 32 process IDs from standard enumeration tools. Running
ps auxon a compromised system will simply not show the hidden processes. They don't appear to exist. - File and directory hiding: Any file or directory named "swsecret" becomes invisible to standard filesystem queries. The attackers used this to hide configuration files, exfiltrated data staging directories, and additional malware components.
- Syscall interception: The rootkit intercepts kill signals with specific magic numbers (-900 and -901), allowing the attackers to send hidden commands to their implants through what appears to be normal system activity.
- Allow-list mechanism: ShadowGuard maintains an exclusion list, allowing the attackers to selectively reveal processes or files when needed for maintenance.
The SHA-256 hash for the ShadowGuard sample is: 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d
For defenders, ShadowGuard represents a significant challenge. Because the rootkit operates at the kernel level, most endpoint detection and response (EDR) tools — which typically operate in user space — cannot see it. Detection requires either specialized eBPF monitoring solutions or offline analysis of memory images.
Command-and-Control Infrastructure: Multi-Tier Architecture and Residential Proxies
TGR-STA-1030's C2 infrastructure demonstrated textbook nation-state compartmentalization: multiple layers, residential proxies, and redundant frameworks to ensure operational persistence.
Multi-tiered architecture ensured operational security:
┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Attackers │ → │ Proxy Layer │ → │ Relay VPS │ → │ C2 Servers │ → Victims
│ (China/AS9808)│ │(DataImpulse/ │ │ (US/UK/SG) │ │ │
│ │ │ Tor) │ │ │ │ │
└──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘
The attackers used DataImpulse, a residential proxy service, to mask their origins. Residential proxies route traffic through legitimate home internet connections, making it extremely difficult to distinguish malicious traffic from normal browsing.
Command-and-control servers were hosted on reputable VPS providers in the United States, United Kingdom, and Singapore — jurisdictions chosen both for network latency to target regions and for the legal complexity they would introduce into any investigation.
Multiple C2 frameworks provided redundancy. While Cobalt Strike was the primary tool in early 2025, the group increasingly shifted to VShell — a Go-based C2 framework documented in Chinese-language security research. VShell offers similar capabilities to Cobalt Strike but with lower detection rates, as security vendors have invested years in detecting Cobalt Strike traffic.
Additional tools included Havoc, SparkRat, and Sliver — ensuring that the loss of any single implant wouldn't terminate access to a victim network.
Geopolitical Intelligence Targeting: Rare Earth Minerals and Chinese Strategic Interests
The Shadow Campaigns' target selection wasn't random. When mapped against Beijing's strategic interests, a stark pattern emerges: the attackers prioritized intelligence advancing China's objectives in rare earth control, diplomatic leverage, and trade disputes.
Mining Nations Targeted: The Rare Earth Mineral Connection
Multiple victims shared one strategic asset: rare earth minerals.
Bolivia: Compromised through a mining entity. Rare earth deposits dominated the country's 2025 presidential election, with candidates debating whether to partner with Chinese or Western mining interests.
Brazil: Ministry of Mines and Energy breached. Brazil holds the world's second-largest rare earth reserves, and Chinese companies have aggressively pursued extraction agreements.
Democratic Republic of the Congo: Government ministry compromised. The DRC supplies critical cobalt and minerals essential for electric vehicle batteries — a sector where China dominates global supply chains.
Zambia: Government network targeted during an investigation into the Sino-Metals Leach mining operation, where acid pollution triggered local protests against Chinese-owned facilities.
Rare earth minerals — essential for everything from smartphones to wind turbines to military guidance systems — represent a strategic chokepoint that China has long sought to control. Intelligence on competitor nations' mineral policies, contract negotiations, and environmental concerns provides leverage in what has become a global competition for these resources.
Diplomatic Flashpoints
The timing of several intrusions correlated with diplomatic events sensitive to Beijing:
Czechia was targeted intensively after the Czech Republic hosted meetings with the Dalai Lama — the Tibetan spiritual leader whom Beijing considers a dangerous separatist. Czech president's website was specifically scanned for vulnerabilities following the announcement of a Dalai Lama birthday gala. For China, the Dalai Lama issue is not just politics; it's an obsession that has driven diplomatic incidents for decades.
Thailand saw government networks compromised in November 2025, just weeks before the Thai king's first state visit to Beijing. Access to internal government communications about the visit's agenda, Thai negotiating positions, and diplomatic concerns would be invaluable to Chinese intelligence.
Honduras was subjected to reconnaissance scanning of more than 200 government IP addresses exactly 30 days before the country's national election — an election with significant implications for Taiwan, as Honduras was one of the last countries to maintain formal diplomatic relations with Taipei.
The Venezuela Connection
Perhaps no targeting decision was more revealing than the compromise of Venezuelan government infrastructure.
On January 3, 2026, the United States launched "Operation Absolute Resolve," a dramatic military operation that captured Venezuelan President Nicolás Maduro and several senior officials. The action, conducted without consultation with traditional allies, sent shockwaves through Latin American politics.
Within 24 hours, TGR-STA-1030 had compromised IP addresses at Venezolana de Industria Tecnológica — a Venezuelan government technology facility. Over the following days, reconnaissance expanded to cover more than 140 government IP addresses.
The intelligence value is obvious: understanding American military operations, assessing the new Venezuelan government's posture, and gathering information about potential changes to Chinese investments in the country. China has invested billions in Venezuela's oil sector, and regime change threatened those investments.
The Mexico Coincidence
Mexico's case illustrates how rapidly the attackers could pivot to emerging opportunities.
In late September 2025, Mexico's government announced an investigation into potential tariff violations by Chinese steel imports. Within 24 hours, two Mexican government ministries had been compromised.
The speed suggests either exceptional responsiveness or — perhaps more likely — that the attackers already had access and were activated to collect intelligence on the trade dispute.
China's Typhoon Season: Coordinated Campaign Escalation Across Critical Infrastructure
The Shadow Campaigns don't exist in isolation. They represent one front in an unprecedented expansion of Chinese state-sponsored cyberespionage operations targeting global critical infrastructure.
Salt Typhoon — a separate Chinese operation exposed in late 2024 — successfully compromised telecommunications infrastructure in the United States, United Kingdom, Australia, Singapore, and (as revealed in February 2026) Norway. The attackers gained access to the systems telecommunications companies use to comply with lawful intercept orders, potentially compromising years of intelligence operations.
Volt Typhoon — another Chinese campaign documented by Microsoft and CISA — focused on pre-positioning access within U.S. critical infrastructure. Unlike operations focused on intelligence collection, Volt Typhoon appeared designed to establish persistent access that could be weaponized during a future conflict.
UNC3886 — attributed to China by Singapore's Cyber Security Agency in February 2026 — conducted an 11-month operation against all four of Singapore's major telecommunications providers, demonstrating that even highly developed nations with sophisticated cyber defenses are vulnerable.
Together, these campaigns suggest a strategic decision by Chinese intelligence services to dramatically scale their cyber operations. The question is why — and whether the Shadow Campaigns' targeting of 37 governments represents espionage as usual, or preparation for something more.
Defending Against Shadow Campaigns: Immediate Actions for Government and Critical Infrastructure
For government agencies, critical infrastructure operators, and multinational corporations, the Shadow Campaigns discovery demands immediate defensive action.
Immediate Steps (24-72 Hours)
1. Hunt for known indicators. Block the following command-and-control infrastructure at your network perimeter:
Malicious IP Addresses:
| IP Address | ASN | Notes |
|---|---|---|
| 138.197.44[.]208 | DigitalOcean | Primary C2 server |
| 142.91.105[.]172 | DigitalOcean | Relay infrastructure |
| 146.190.152[.]219 | DigitalOcean | Cobalt Strike C2 |
| 157.230.34[.]45 | DigitalOcean | VShell C2 |
| 157.245.194[.]54 | DigitalOcean | Backup C2 |
| 159.65.156[.]200 | DigitalOcean | Phishing infrastructure |
| 159.203.164[.]101 | DigitalOcean | Data exfil staging |
| 178.128.60[.]22 | DigitalOcean | Proxy layer |
| 178.128.109[.]37 | DigitalOcean | Relay VPS |
| 188.127.251[.]171 | Hetzner | Secondary C2 |
| 188.166.210[.]146 | DigitalOcean | Command relay |
| 208.85.21[.]30 | DataImpulse | Residential proxy |
Malicious Domains:
| Domain | Purpose | Active Period |
|---|---|---|
| abwxjp5[.]me | Cobalt Strike C2 | Jan-Feb 2026 |
| brackusi0n[.]live | VShell C2 | Dec 2025-Feb 2026 |
| dog3rj[.]tech | Phishing delivery | Nov 2025-Jan 2026 |
| emezonhe[.]me | Data exfiltration | Jan-Feb 2026 |
| gouvn[.]me | Mimics French govt | Dec 2025-Feb 2026 |
| msonline[.]help | Mimics Microsoft | Oct 2025-Feb 2026 |
| pickupweb[.]me | Payload hosting | Jan-Feb 2026 |
| pr0fu5a[.]me | C2 infrastructure | Dec 2025-Feb 2026 |
| q74vn[.]live | VShell C2 | Jan-Feb 2026 |
| servgate[.]me | Relay infrastructure | Nov 2025-Feb 2026 |
| zamstats[.]me | Mimics Zambia govt | Jan-Feb 2026 |
| zrheblirsy[.]me | Backup C2 | Dec 2025-Feb 2026 |
2. Patch priority vulnerabilities. The attackers exploited known vulnerabilities in:
- Atlassian Crowd (CVE-2019-11580)
- Microsoft Exchange Server (multiple RCE vulnerabilities)
- SAP Solution Manager
- Edge devices from D-Link and other vendors
If you haven't patched these systems, assume compromise and hunt accordingly.
3. Review MEGA.nz traffic. The attackers used MEGA.nz to host malicious payloads. Consider whether your organization has legitimate business reasons to allow downloads from MEGA.nz; if not, block it. If legitimate use exists, implement inspection of all MEGA downloads.
Detection Focus Areas
For ShadowGuard (Linux environments):
- Monitor for eBPF program loading on production systems
- Search for files or directories named "swsecret"
- Deploy kernel-level integrity monitoring that can detect eBPF modifications
- Consider offline memory analysis for suspected compromised systems
For Diaoyu loader:
- Alert on processes that check screen resolution at startup
- Monitor for enumeration of security product processes
- Watch for downloads from raw.githubusercontent.com that execute as binaries
For C2 traffic:
- VShell communicates on high ephemeral TCP ports; monitor for unusual high-port traffic to VPS providers
- Implement TLS inspection where legally and operationally feasible
- Use behavioral analytics to detect Cobalt Strike beacon patterns
Strategic Recommendations
For government agencies:
- Assume you are a target. Conduct threat hunting based on the published IOCs.
- Implement zero-trust architecture for sensitive systems, particularly those handling diplomatic communications, financial negotiations, or military operations.
- Isolate e-passport and immigration systems — these were specifically targeted.
- Share threat intelligence with partner nations and international CERTs.
For critical infrastructure:
- Mining and energy sectors should be on heightened alert.
- Telecommunications providers should review for Salt Typhoon and UNC3886 indicators in addition to Shadow Campaigns IOCs.
- Finance ministries and central banks should implement enhanced monitoring.
For the private sector:
- Companies operating in rare earth minerals, strategic commodities, or advanced technology should assume elevated risk.
- Organizations with business relationships involving Chinese government entities should assess their threat model.
- Multinationals with China operations should consider the security implications of their geographic footprint.
Three Uncomfortable Truths About Nation-State Cyberespionage in 2026
The Shadow Campaigns expose uncomfortable realities defenders must confront:
First: State-sponsored attackers are outpacing defenders. Despite billions spent on cybersecurity, nation-state adversaries continue compromising government networks worldwide. The attackers didn't need zero-days — they exploited known vulnerabilities that should have been patched years ago.
Second: Attribution is politically dangerous. If the world's largest cybersecurity companies can be pressured — through commercial threats, employee safety concerns, or market access considerations — into softening attribution, then the shared threat intelligence defenders rely on becomes unreliable. How many other reports have been sanitized? How many attributions quietly removed?
Third: The scale is unprecedented, yet nobody's paying attention. Thirty-seven countries compromised. One hundred fifty-five scanned. Critical military intelligence, financial negotiations, and diplomatic communications exfiltrated. If this represents "the most widespread compromise of global government infrastructure since SolarWinds," why isn't it leading every newscast?
The answer: we've become numb. State-sponsored cyberespionage has become so routine that even campaigns of historic scale barely register. The attackers know this. They exploit it.
Conclusion: When Commercial Interests Silence Attribution
The Shadow Campaigns will be studied for years as a masterclass in nation-state cyberespionage. The technical sophistication — particularly the ShadowGuard eBPF rootkit — represents a genuine advancement in stealth capability. The targeting demonstrates surgical alignment with strategic objectives. The scale rivals operations previously considered anomalous.
But the campaign's legacy may be determined not by what the attackers did, but by what defenders failed to say.
When Palo Alto Networks allegedly removed explicit China attribution from their report, they made a calculation: commercial and safety risks of naming names outweighed public interest in knowing who compromised 37 governments. Reasonable people can debate that decision.
What cannot be debated: defenders worldwide now have a detailed technical report but must rely on external researchers like SentinelOne to learn who was actually responsible.
In the shadow war waged across the world's networks, sunlight is the best disinfectant. When commercial considerations dim that light, the shadows grow longer.
The attackers continue operating. New victims fall. New intelligence exfiltrates. Reconnaissance against 155 countries suggests this campaign isn't concluding — it's expanding.
And somewhere — in Beijing or wherever TGR-STA-1030 actually operates — someone is reading this article, taking notes on what we know, what we don't know, and what we're afraid to say.
This investigation drew on primary reporting from Unit 42, Reuters, The Record, and analysis by SentinelOne, PolySwarm, and other security researchers.
