TL;DR: Palo Alto Networks' Unit 42 revealed on February 5, 2026, that a single state-aligned hacking group (tracked as TGR-STA-1030) compromised at least 70 organizations across 37 countries in the past year. Targets include five national law enforcement agencies, three finance ministries, a national parliament, military systems, and telecom companies. The group uses phishing, known software flaws, and a custom Linux rootkit called ShadowGuard to steal diplomatic emails, financial records, and military operations data. They're still active. Between November and December 2025, they scanned government infrastructure in 155 countries.
What Unit 42 Found
Researchers at Palo Alto Networks' Unit 42 first spotted TGR-STA-1030 (also tracked by Mandiant as UNC6619) while investigating phishing campaigns targeting European governments in early 2025. What they found was much bigger than a few phishing emails.
Over the past year, this one group broke into:
- 5 national law enforcement and border control agencies
- 3 finance ministries
- 1 national parliament
- Ministries of interior, foreign affairs, trade, economy, immigration, mining, justice, and energy
- National telecom companies
- At least one senior elected official's systems
Seventy organizations across 37 countries. That makes this the widest cyberespionage operation attributed to a single group since the SolarWinds breach in 2020.
Named Targets
Palo Alto named some of the specific victims:
- Czech Republic: The army, police, parliament, presidency, and ministries of interior, finance, and foreign affairs
- Brazil: Ministry of Mines and Energy (the country's rare earth mineral authority)
- Indonesia: A government official's systems
- Taiwan: A power equipment supplier
- Venezuela: Venezolana de Industria Tecnológica facility
- Latin America: Confirmed compromises in Bolivia, Mexico, and Panama
The stolen data includes email server contents, financial records, diplomatic communications, and military and police operations data. This isn't website defacement. This is reading a country's mail.
How They Got In
TGR-STA-1030 used two entry points:
Targeted Phishing
The group sent spear-phishing emails disguised as organizational change announcements, written in each victim's native language. The emails delivered ZIP archives containing a custom malware loader called "Diaoyu." Once running, Diaoyu checks for antivirus software, detects sandbox environments, then downloads Cobalt Strike from GitHub repositories. From there, attackers move laterally across the network.
Unpatched Software
When phishing didn't work, they exploited known vulnerabilities (some years old) in internet-facing software. Pete Renals at Unit 42 said the group uses "highly-targeted and tailored fake emails and known, unpatched security flaws to gain access to these networks."
The list of exploited software reads like a government IT inventory:
- SAP Solution Manager
- Microsoft Exchange Server
- Microsoft Open Management Infrastructure
- Pivotal Spring Data Commons
- Apache Struts2
- Commvault CommCell
- D-Link networking equipment
- Multiple Chinese-made enterprise platforms: Eyou Email, Zhiyuan OA, Beijing Grandview Century eHR, Weaver Ecology-OA, Ruijieyi Networks products
In one case, attackers tried exploiting CVE-2019-11580 against an e-passport and e-visa system. The payload was named "rce.jar." Subtle.
ShadowGuard: The Rootkit That Hides in Kernel Space
Once inside a network, TGR-STA-1030 deploys a custom Linux rootkit called ShadowGuard. This is the technically interesting part.
ShadowGuard uses Extended Berkeley Packet Filter (eBPF), a legitimate kernel technology that lets programs run inside the Linux kernel's virtual machine. That means the rootkit operates in highly trusted kernel space without appearing as a separate loadable module. Traditional security tools don't see it.
What ShadowGuard does:
- Hides specific processes, files, and directories from system administrators
- Manipulates system functions and audit logs before security tools can observe the data
- Maintains persistence even after the initial compromise is detected and "cleaned"
Unit 42 researchers noted that "eBPF backdoors operate entirely within the highly trusted kernel space," making them almost invisible to standard endpoint detection.
Their Full Arsenal
Beyond ShadowGuard, the group uses a mix of commercial and open-source tools that security teams struggle to flag as malicious:
Command and Control
Cobalt Strike, VShell, Havoc, SparkRat, and Sliver: a mix of commercial pentesting tools and open-source frameworks.
Web Shells
Behinder, Neo-reGeorg, and Godzilla for persistent access through compromised web servers.
Tunneling and Evasion
GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX to route traffic through legitimate-looking channels.
Infrastructure
Command-and-control servers hosted on VPS providers in the US, UK, and Singapore.
The combination of legitimate tools and custom malware makes detection extremely difficult. Many of these tools are used daily by authorized penetration testers.
They Time Attacks to Geopolitical Events
TGR-STA-1030 doesn't hack randomly. Their operations sync with specific geopolitical moments:
- July 2025: Czech President Petr Pavel met with the Dalai Lama. Within weeks, the group started scanning the Czech Army, police, parliament, presidency, and multiple ministries. The attacks came after the meeting: targeted reconnaissance following a specific diplomatic event.
- October 2025: Brazil's Ministry of Mines and Energy was compromised shortly before U.S. diplomatic meetings on critical mineral supply chains.
- Late 2025: During a U.S. government shutdown, the group began scanning government infrastructure across the Americas: Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago.
Palo Alto researchers noted the group "hoover up sensitive information in apparent coordination with geopolitical events, such as diplomatic missions, trade negotiations, political unrest and military actions."
The targets tell a story: countries establishing or exploring economic partnerships that would interest a competing nation-state.
Who's Behind It
Palo Alto officially calls TGR-STA-1030 "a state-aligned group that operates out of Asia" and declined to name a specific country. But the evidence points in one direction:
- Operators work during GMT+8 business hours
- Language settings in tools and infrastructure match the region
- Targeting patterns align with Chinese strategic interests: rare earth minerals, diplomatic intelligence, military capabilities of countries on the Belt and Road Initiative
- Multiple exploited software platforms are Chinese-made enterprise tools (Zhiyuan OA, Eyou Email, Weaver Ecology-OA)
- The Dalai Lama retaliation pattern mirrors documented Chinese APT behavior
Axios reported that "the apparent strategic interests and some of the targets are similar to past Chinese government attacks."
155 Countries Scanned
Here's the part that should worry everyone. Between November and December 2025, TGR-STA-1030 scanned government infrastructure across 155 countries for vulnerabilities. They've compromised 70 organizations in 37 countries so far. The scanning suggests they're just getting started.
Palo Alto has contacted all 37 affected countries and industry partners. But the group is still active. Still scanning. Still breaking in.
Why This Matters Beyond Geopolitics
When a hacking group compromises five national law enforcement agencies, they don't just get case files. They get informant identities, surveillance methods, undercover operations, and witness protection data. When they breach finance ministries, they get economic intelligence that moves markets. When they read diplomatic emails, they know a country's negotiating position before the meeting starts.
Border control agencies hold biometric databases, travel records, and immigration files. A breach there means someone now has a copy of who crosses which borders and when.
This isn't abstract. These compromises affect real people: informants whose covers may be blown, diplomats whose private communications are now intelligence product, citizens whose government can no longer negotiate from a position of equal information.
What Organizations Should Do
Patch Known Vulnerabilities
This group exploited flaws with patches available for years. CVE-2019-11580 is from 2019. If you're running SAP, Exchange, or any of the listed software, patch now.
Hunt for eBPF-Based Threats
Traditional endpoint detection misses ShadowGuard. Look for unusual eBPF programs loaded in kernel space. Monitor BPF system calls.
Check for Tunneling Tools
GOST, FRPS, and IOX running on your network shouldn't be there unless your pentest team put them there. Hunt for them.
Assume Phishing Works
Build defenses assuming staff will click. Segment networks, enforce least privilege, use hardware MFA, and log everything.
The Bigger Picture
One group. Seventy organizations. Thirty-seven countries. Law enforcement, militaries, parliaments, finance ministries: all compromised by the same team using phishing emails and unpatched software.
They timed their attacks to diplomatic meetings and political crises. They deployed a rootkit that hides in kernel space. They're scanning 155 countries for their next targets.
Palo Alto warned that the campaign's "methods, targets, and scale of operations are alarming" with potential long-term national security consequences. That's measured language from a security company. Read between the lines: this is one of the most significant espionage operations uncovered in years, and it's still running.
References
- Palo Alto Networks Unit 42 - The Shadow Campaigns: Uncovering Global Espionage (February 5, 2026)
- CSO Online - New APT group breached gov and critical infrastructure orgs in 37 countries (February 2026)
- Japan Times - Hackers Hit Sensitive Targets in 37 Nations in Vast Spying Plot (February 6, 2026)
- Claims Journal - Hackers Hit Sensitive Targets in 37 Nations in Spying Plot (February 5, 2026)
- SecurityWeek - Cyberspy Group Hacked Governments and Critical Infrastructure in 37 Countries (February 2026)