One Hacking Group Just Breached 37 Countries—Here's What They Stole

The Shadow Campaigns

Palo Alto Networks' Unit 42 research team published findings this week on what they call the Shadow Campaigns, a year long cyberespionage operation conducted by a previously undocumented threat actor tracked as TGR-STA-1030.

The scale is staggering. Over the past 12 months, this single group successfully breached approximately 70 government and critical infrastructure organizations across 37 countries. Between November and December 2025 alone, researchers observed the group conducting active reconnaissance against government systems in 155 nations across the Americas, Europe, Asia, and Africa.

This makes it the most wide reaching cyberespionage operation attributed to a single government hacking group since the 2020 SolarWinds breach.

Who Was Targeted

The victims read like a list of a nation state's strategic intelligence priorities:

• Five national law enforcement and border control agencies
• Three ministries of finance
• Government departments handling diplomacy, trade, and natural resources
• One nation's parliament
• Telecommunications companies
• Critical infrastructure including power generation facilities

Specific confirmed victims include Brazil's Ministry of Mines and Energy, the Czech Republic's parliament and army, an Indonesian government official, and a Taiwanese power equipment supplier.

What They Stole

Unit 42 confirmed that the threat actors successfully accessed and exfiltrated sensitive data from victim email servers. The stolen information includes:

• Financial negotiation documents and contracts
• Banking and account information
• Critical military operational updates
• Immigration and economic intelligence data
• Business files related to power generation projects

For citizens of affected countries, this means their personal data held by border control agencies, tax authorities, and government databases may now be in the hands of a foreign intelligence service.

How They Did It

The attackers employed a combination of phishing and exploitation of known vulnerabilities.

Their phishing campaigns were carefully crafted around themes that would appeal to government employees, particularly messages about ministry or department reorganizations. Malicious files were hosted on mega.nz and distributed directly to government email addresses.

For initial access, the group exploited known vulnerabilities in:

• SAP enterprise software
• Microsoft Exchange email servers
• D-Link network equipment
• Various regional applications

Notably, researchers did not observe the group developing or deploying any zero day exploits. They relied entirely on known vulnerabilities that organizations had failed to patch, a reminder that basic security hygiene remains critical.

Once inside, the attackers deployed Cobalt Strike, the VShell command and control framework, and various web shells including Behinder, Neo-reGeorg, and Godzilla. They also used a custom Linux rootkit called ShadowGuard to maintain persistent access.

Attribution: An Asian State Actor

Unit 42 assesses with high confidence that TGR-STA-1030 is a state aligned group operating out of Asia. Several indicators support this conclusion:

• Activity aligned with GMT+8 working hours
• Direct connections from AS 9808, an Asian internet service provider
• Certificate artifacts on Tencent servers in the region
• Use of regional tooling and infrastructure preferences
• One attacker used the handle "JackMa," potentially referencing Alibaba's co-founder

The targeting patterns and strategic interests align with past Chinese government operations, though Unit 42 stopped short of directly naming China as the responsible party.

Why This Matters

This campaign reveals the true scale of state sponsored surveillance. While much attention focuses on spyware targeting individuals, operations like this compromise entire government systems, potentially exposing the data of millions of citizens.

The breach of law enforcement and border control agencies is particularly concerning. These systems contain passport information, travel records, visa applications, and immigration data. In the hands of a foreign intelligence service, this information could be used for tracking individuals, compromising diplomats, or identifying intelligence assets.

The breadth of the campaign, spanning 37 countries and reconnaissance against 155, demonstrates that no nation is too small or too remote to be a target. State sponsored hackers are systematically mapping and penetrating government systems worldwide.