A state-sponsored cyberespionage group has hacked into government and critical infrastructure organisations across 37 countries, SecurityWeek reports, with the operation tracked under the threat actor name TGR-STA-1030 and activity newly observed as Shadow Campaign.
According to Palo Alto Networks, the researchers have high confidence the group is operating from Asia and aligns with a Chinese threat actor profile, with activity spanning since at least January 2024 and focused on more than 70 organisations in 37 countries.
The targets included national law enforcement and border control agencies, ministries of finance, and government departments dealing with trade, natural resources and diplomacy, and the firm noted at least one parliament and a senior elected official were compromised in separate instances. Initial access relied on phishing emails carrying a malware loader, and the group has deployed ShadowGuard, a Linux kernel rootkit used to modify data and evade detection.
Palo Alto Networks has observed extensive exploitation of known vulnerabilities across products from Microsoft, SAP, Atlassian, D-Link, Apache, Commvault and other vendors, rather than zero-days. The security firm has monitored the activity since early 2025, after first spotting European government targeting, with infrastructure suggesting activity dating back to January 2024.