InfoSecBulletin Cybersecurity for mankind
According to Palo Alto Networks, a state-backed hacking group compromised government and critical infrastructure systems worldwide. The security firm identifies the threat actor as TGR-STA-1030, and their recent activity is dubbed as the Shadow Campaign.
Palo Alto Networks expressed high confidence that it’s a nation-state group operating out of Asia based on the use of regional tools and services, language preferences, targets, and operational infrastructure located in the region. The security firm hasn’t named a specific country for Shadow Campaign, but its activities suggest it resembles a Chinese threat actor.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“Palo Alto Networks Unit 42 confirmed that the threat actor successfully accessed and exfiltrated sensitive data from victim email servers,” Unit 42 Director of National Security Programs Pete Renals told The Register. “This included financial negotiations and contracts, banking and account information, and critical military-related operational updates.”
“The Cybersecurity and Infrastructure Security Agency is aware of the hacking group identified as TGR-STA-1030 by Palo Alto Networks,” a CISA spokesperson told The Register. “We are working with our government, industry, and international partners to rapidly detect and mitigate any exploitation of the vulnerabilities identified in the report.”
Palo Alto researchers found that TGR-STA-1030 has hacked at least 70 organizations in 37 countries. The hackers have also been surveying government systems in 155 countries.
Targets included national law enforcement, border control agencies, finance ministries, and government departments related to trade, natural resources, and diplomacy.
“This group compromised one nation’s parliament and a senior elected official of another. It also compromised national-level telecommunications companies and several national police and counter-terrorism organizations,” Palo Alto Networks said.
It added, “While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services.”
The security firm has tracked TGR-STA-1030 since early 2025, initially targeting European governments, but evidence indicates it may have been active since January 2024.
Initial access, malware, and vulnerability exploitation:
Hackers gained entry to targeted organizations using advanced email phishing tactics to convince recipients to install malware. The malware loader in the Shadow Campaign checks for only five security products, unlike many loaders that check for many. This helps it evade detection.
The threat actor employs various tools, with the most significant being ShadowGuard, a Linux kernel rootkit identified by Palo Alto. It allows attackers to alter system data and stay undetected.
Palo Alto has observed attempts to exploit known vulnerabilities in products from Microsoft, SAP, Atlassian, D-Link, Apache, Commvault, and several Chinese vendors, but there’s no evidence of zero-day vulnerabilities being exploited.
Indicators of Compromise:
IP Addresses
138.197.44[.]208
142.91.105[.]172
146.190.152[.]219
157.230.34[.]45
157.245.194[.]54
159.65.156[.]200
159.203.164[.]101
178.128.60[.]22
178.128.109[.]37
188.127.251[.]171
188.166.210[.]146
208.85.21[.]30
Palo Alto Networks found that the group uses various command-and-control (C2) frameworks typical for their region to move laterally and maintain access in compromised systems.
8.7 billion records leaked: Inside the huge Chinese data breach
