Shadow Campaigns Espionage Ops Targeted 155 Countries

The Shadow Campaigns are a series of large-scale cyber-espionage operations attributed to a state-aligned threat group tracked by Palo Alto Networks Unit 42 as TGR-STA-1030 (also known as UNC6619). Active since at least early 2024, the group has conducted sustained intelligence-gathering operations against government and critical infrastructure organizations worldwide. Unit 42 assesses with high confidence that the group operates out of Asia and pursues strategic geopolitical and economic objectives rather than financial gain.

Severity: High

Threat Actor Profile

TGR-STA-1030 is assessed to be a state-aligned cyber-espionage actor with a high degree of operational maturity. The group demonstrates disciplined targeting, long-term persistence, and the ability to align cyber operations closely with real-world diplomatic, political, and economic events. Operational patterns, infrastructure, tooling preferences, and time-zone alignment consistently point to an Asian origin.

Targets And Motivation

• Scale: The group has compromised at least 70 organizations across 37 countries and conducted reconnaissance against infrastructure in 155 countries.
• Primary Targets:
  • Government ministries (finance, foreign affairs, trade, interior, justice)
  • National law enforcement and border control agencies
  • Telecommunications, energy, mining, and other critical infrastructure entities
• Motivations: Campaigns often align with real-world events such as elections (e.g., Honduras, Bolivia), international trade agreements (e.g., Mexico), and the extraction of natural resources like rare earth minerals (e.g., Brazil, Bolivia, DRC).

Threat Details

1.Initial Access:

• Phishing: Uses “Shadow Campaigns” lures related to ministry reorganizations, hosting malicious files on mega[.]nz.
• Exploitation: Leverages N-day exploits and proof-of-concept code for vulnerabilities in systems like Atlassian Crowd (CVE-2019-11580), Microsoft Exchange, and various OA (Office Automation) software.

2.Tooling:

• Malware: Uses a custom loader called DiaoYu (“fishing” in Chinese), which employs environmental guardrails to evade sandbox analysis.
• Rootkit: Utilizes ShadowGuard, a unique eBPF-based Linux kernel rootkit designed for stealthy process and file hiding.
• C2 Frameworks: Transitioned from Cobalt Strike to VShell (a Go-based framework) and occasionally uses Havoc, Sliver, or SparkRat.
• Web Shells: Frequently deploys Behinder, Neo-reGeorg, and Godzilla.

3.Exploitation Capabilities

TGR-STA-1030 does not rely on zero-day exploits but aggressively weaponizes N-day vulnerabilities across widely deployed enterprise and government technologies. Exploited targets include:

• Microsoft Exchange and Open Management Infrastructure
• SAP Solution Manager
• Atlassian Crowd (CVE-2019-11580)
• Various OA platforms, routers, and web applications

Exploitation is frequently paired with reconnaissance to rapidly expand access once an entry point is identified.

Recommendations

1. Enforce DMARC, DKIM, and SPF with a strict reject policy across all government and enterprise domains.
2. Deploy advanced phishing detection capable of analyzing archive attachments (ZIP/RAR) and cloud-hosted links (e.g., MEGA).
3. Block or closely monitor cloud file-sharing services frequently abused for malware delivery.
4. Conduct regular phishing simulations using government-themed lures to raise user awareness of spear-phishing tactics.
5. Prioritize patching of internet-facing systems, especially:
   • Microsoft Exchange
   • SAP components
   • Atlassian products (including Crowd)
   • OA platforms and legacy web applications
6. Track and remediate N-day vulnerabilities, as the group is known to rapidly exploit publicly available exploits.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/4b01c26661315072499181e739198ad766640ea6368622047314467d5e25bf14/iocs

Source:

• https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.