Shadow Campaigns compromised 70 organizations across 37 countries and, according to Unit 42, demonstrates how a single cyber-espionage operation can impact government and critical structures at exceptional scale within a single year.
Shadow Campaigns compromised 70 organizations across 37 countries
The report published by Palo Alto Networks Unit 42 on February 5, 2026 describes a campaign series active since January 2024, which Unit 42 tracks under the cluster names TGR-STA-1030 and UNC6619. Unit 42 assesses the actor as state-aligned and operating out of Asia. As supporting indicators, the report cites patterns in language settings, targeting, and timing aligned with regional interests, as well as recurring activity windows correlated with GMT+8. The handle “JackMa” also appears within the attacker environment.
The core finding remains the scale. Shadow Campaigns compromised 70 organizations across 37 countries over a twelve-month period. Unit 42 presents this as confirmed compromise across broad geographic reach and frames it as affecting roughly one out of every five countries. In addition, Unit 42 observed reconnaissance activity against government infrastructure between November and December 2025 that it associated with 155 countries. Affected organizations were notified, and indicators were shared in advance with industry partners.
Why “70 in 37” is more than a headline
Shadow Campaigns compromised 70 organizations across 37 countries not through a single exploit or one-off phishing pattern, but through a repeatable operational design. That is precisely what makes the figures strategically significant. Unit 42 describes longer dwell time across multiple victims and a target set that largely consists of government ministries, agencies, national parliaments, and national telecommunications and security structures. The report explicitly references national law-enforcement and border-security organizations as well as finance ministries, complemented by departments responsible for the economy, trade, natural resources, and diplomatic functions.
For accurate interpretation, a clear distinction is essential. Reconnaissance is a precursor, but it is not evidence of successful compromise for every scanned system. The Unit 42 report separates these two layers. Likewise, the report does not quantify monetary impact. For defensible communication, it is therefore more precise to speak of confirmed intrusions, espionage intent, and risks to state functions rather than attempting to quantify “damage.”
Initial access via phishing and file hosting in February 2025
Unit 42 first identified Shadow Campaigns through phishing campaigns that targeted European governments in February 2025. The lures referenced alleged reorganizations of ministries or agencies. Links led to ZIP archives hosted on mega[.]nz, with file naming and language tailored to the target institution. Inside the archives, Unit 42 found an executable with the same name as the ZIP file along with a zero-byte file named pic1.png. From the metadata, Unit 42 derived a file version of 2025.2.13.0; the original name is listed as DiaoYu.exe, which Unit 42 interprets as an allusion to “fishing” and therefore to phishing.
Technically notable is the anti-analysis logic Unit 42 describes as guardrails. The loader requires a horizontal screen resolution of at least 1440 pixels and additionally checks for the presence of pic1.png in the execution directory. If the file is missing, the process terminates in a controlled manner before observable malicious behavior occurs. Only then does the malware audit the host for selected security products, explicitly searching for several process names such as Avp.exe, SentinelUI.exe, and NortonSecurity.exe. Unit 42 notes that this selection is unusually narrow and that the motivation remains unclear.
After these checks, the malware downloads multiple files from GitHub, according to Unit 42, including image files from a repository that is no longer available. These artifacts are then processed so that a Cobalt Strike payload is ultimately installed. The flow matches a loader pattern in which seemingly benign resources are used as building blocks to assemble the final payload and hinder detection.
N-day exploits instead of zero-days
Unit 42 emphasizes that it did not observe zero-day development or exploitation during the reporting period. Instead, the actor combines reconnaissance with exploit attempts against known vulnerabilities and uses widely available tools, exploitation kits, and proof-of-concept code. The report references attempts against various server components and platforms, including Microsoft Exchange Server, as well as additional RCE, directory traversal, and injection classes across multiple products.
A concrete, technically straightforward example is CVE-2019-11580 in Atlassian Crowd. Unit 42 describes an exploit attempt against e-passport and e-visa services at a foreign ministry, during which the actor uploaded a file named rce.jar. Atlassian classifies CVE-2019-11580 as critical for affected versions of Crowd and Crowd Data Center. The official CVE record describes the issue as allowing installation of arbitrary plugins, enabling remote code execution on vulnerable instances. Additional vulnerability metadata is available in the NVD entry.
Persistence via eBPF in the kernel, ShadowGuard as a stealth component
For defenders, it is especially relevant that Unit 42 describes not only initial access and exploits but also kernel-adjacent persistence. Unit 42 documents a Linux eBPF rootkit named ShadowGuard that runs in kernel space and is therefore difficult to detect. The report describes kernel-level concealment, process hiding via interception mechanisms, and hiding of files or directories named swsecret. On startup, ShadowGuard checks, among other things, for root privileges, eBPF support, and tracepoint support. This adds a capability that undermines classic user-space detection and common visibility assumptions.
The report also describes the C2 landscape as flexible. Unit 42 observed frequent use of Cobalt Strike in early phases and a later shift toward VShell as the preferred C2 framework. The report additionally lists other frameworks and web shells. Operationally, this means detection should not be reduced to a single tool signature set, but should focus on TTPs, infrastructure patterns, and anomalous administrator and process paths.
Priorities for security teams
- Harden phishing defenses in government workflows, particularly for “reorganization” lures and externally hosted ZIP archives. Practical measures include strict URL and attachment handling policies, threat inspection, and targeted awareness for ministerial processes.
- Prioritize attack surface management for internet-exposed systems. The Unit 42 report shows that N-day vulnerabilities remain a scalable initial access path once attack surfaces are persistently reachable.
- Expand Linux telemetry and hunting to include kernel-adjacent signals. eBPF rootkits operate without classic kernel modules and can undermine visibility assumptions, making integrity checks, kernel auditing, and consistent baseline controls essential.
- Align incident response to longer dwell time. This includes adequate log retention, credential hygiene, detection for lateral movement, and clear measures to prevent re-entry after containment.
Conclusion
Shadow Campaigns compromised 70 organizations across 37 countries and demonstrates an operational maturity built on a stable three-part model. Phishing via file hosting provides initial access, N-day exploitation expands reach, and eBPF-based kernel persistence increases stealth and dwell time. For government bodies and operators of critical services, the findings are a concrete signal that resilience against large-scale cyber espionage requires not only governance, but end-to-end technical controls, disciplined patch management, and kernel-adjacent visibility.
