Shadow Campaigns expands global espionage reach to 37 countries
A state-sponsored actor tracked as TGR-STA-1030/UNC6619, dubbed Shadow Campaigns, has compromised government and critical-infrastructure networks in 37 countries since early 2024, with reconnaissance activity touching 155 nations. The operation uses tailored phishing with a Diaoyu loader, exploits across multiple platforms, and a toolkit including Cobalt Strike, VShell, web shells, and a Linux kernel rootkit named ShadowGuard. It relies on legitimate VPS and proxy infrastructure and targets ministries, energy, finance, and diplomatic agencies, with activity intensifying around political events like elections. Unit 42 provides IoCs to help defenders detect and block these attacks.