A state-sponsored cyberespionage group has hacked into the systems of government and critical infrastructure organizations across dozens of countries, Palo Alto Networks revealed on Thursday.
The security firm is tracking the threat actor as TGR-STA-1030 and the recently observed activity has been named Shadow Campaign.
Palo Alto Networks expressed high confidence that it’s a nation-state group operating out of Asia based on the use of regional tools and services, language preferences, targets, and operational infrastructure located in the region.
In addition, Palo Alto Networks noted that the attackers’ activity aligns with the GMT+8 timezone.
While the security firm has refrained from blaming a specific country for Shadow Campaign, the group’s operational footprint appears to align with the profile of a Chinese threat actor.
Evidence collected by Palo Alto’s researchers indicates that TGR-STA-1030 has compromised the systems of at least 70 organizations in 37 countries. Additionally, the hackers’ reconnaissance activity has targeted government infrastructure across 155 countries.
Targets included national law enforcement and border control agencies, ministries of finance, and government departments focusing on trade, natural resources, and diplomacy.
“This group compromised one nation’s parliament and a senior elected official of another. It also compromised national-level telecommunications companies and several national police and counter-terrorism organizations,” Palo Alto Networks said.
It added, “While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services.”
The security firm has been monitoring TGR-STA-1030 since early 2025, when it was spotted targeting European governments, but the infrastructure used by the cyberspies suggests that it has been active since at least January 2024.
Initial access, malware, and vulnerability exploitation
For initial access into the targeted organizations, the hackers used sophisticated email phishing lures designed to trick recipients into installing a malware loader on their systems.
While many malware loaders check the compromised system for the presence of dozens of security products, the loader seen in Shadow Campaign only checks for five products likely in an effort to increase its chances of evading detection.
The threat actor uses a wide range of tools in its operations, but the most noteworthy is tracked by Palo Alto as ShadowGuard, a previously unknown Linux kernel rootkit that enables the attackers to modify system data and remain undetected.
While there is no indication that the threat actor has exploited zero-day vulnerabilities, Palo Alto has seen attempts to exploit a wide range of known flaws in products from Microsoft, SAP, Atlassian, D-Link, Apache, Commvault, and various China-based vendors.
Related: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability
Related: Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
