76/69 Monday, February 9, 2026
Unit 42 from Palo Alto Networks has revealed the discovery of a state-sponsored threat group tracked as TGR-STA-1030 (also known as UNC6619), believed to be operating from Asia. The group is responsible for a large-scale cyber espionage initiative dubbed “Shadow Campaigns,” primarily aimed at stealing strategic, economic, and political intelligence from government agencies and critical infrastructure worldwide. The report indicates that surveillance activities spanned 155 countries, with successful breaches of more than 70 organizations across 37 countries, enabling access to sensitive information related to trade policies, geopolitical issues, and election data.
The operation has impacted high-level institutions across multiple regions, including a treasury department in Australia, parliamentary bodies in Europe, and critical infrastructure in Taiwan and Latin America. Thailand was also identified as having organizations targeted and compromised. The threat actors demonstrated strong operational timing, intensifying reconnaissance efforts during significant events such as national elections or periods of political instability to gather highly valuable intelligence when it mattered most.
The attackers employed highly sophisticated techniques, typically beginning with phishing emails containing links to files hosted on Mega.nz. These messages often impersonated internal organizational restructuring notices to trick officials into installing Diaoyu malware. Researchers also observed the use of advanced tools such as ShadowGuard, a Linux eBPF rootkit that is extremely difficult to detect because it operates at the kernel level, allowing it to evade traditional antivirus defenses. Experts advise both public and private sector organizations to exercise caution when opening links from unknown emails and to promptly assess vulnerabilities in systems such as Microsoft Exchange and SAP to defend against this global espionage threat.
