The Shadow Campaigns: Uncovering Global Espionage

Feb. 5, 2026, 8:40 p.m.

Description

This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies, and departments related to economic, trade, and diplomatic functions. The group employs sophisticated phishing and exploitation techniques, leveraging various tools and infrastructure to maintain persistent access. Their activities span across the Americas, Europe, Asia, Oceania, and Africa, with a focus on countries exploring certain economic partnerships. The group's operations often coincide with significant geopolitical events and economic interests, particularly in sectors like rare earth minerals and international trade agreements.

External References

https://otx.alienvault.com/pulse/6984fb96aab9cc504d06ea4e
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage
Tags
phishing
cobalt strike
government
exploitation
sliver
cyberespionage
godzilla
behinder
sparkrat
infrastructure
havoc
neo-regeorg
asia
vshell
global
CVE-2019-11580
2026-02-05
diaoyu loader
shadowguard

Date

  • Created: Feb. 5, 2026, 8:20 p.m.
  • Published: Feb. 5, 2026, 8:20 p.m.
  • Modified: Feb. 5, 2026, 8:40 p.m.

Indicators

  • 293821e049387d48397454d39233a5a67d0ae06d59b7e5474e8ae557b0fc5b06
  • c876e6c074333d700adf6b4397d9303860de17b01baa27c0fa5135e2692d3d6f
  • 66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0
  • 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d
  • 5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
  • 358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a
  • 5ddeff4028ec407ffdaa6c503dd4f82fa294799d284b986e1f4181f49d18c9f3
  • 9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4
  • 182a427cc9ec22ed22438126a48f1a6cd84bf90fddb6517973bcb0bac58c4231
  • 23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe
  • b2a6c8382ec37ef15637578c6695cb35138ceab42ce4629b025fa4f04015eaf2
  • 142.91.105.172
  • 159.203.164.101
  • 208.85.21.30
  • 146.190.152.219
  • 188.127.251.171
  • 157.245.194.54
  • 178.128.60.22
  • 188.166.210.146
  • 178.128.109.37
  • 157.230.34.45
  • 138.197.44.208
Download all indicators here!

Attack Patterns

  • ShadowGuard
  • Havoc - S1229
  • Sliver
  • Cobalt Strike - S0154
  • Neo-reGeorg - S1189
  • VShell
  • Behinder
  • Godzilla
  • Diaoyu Loader
  • SparkRat
  • TGR-STA-1030

Additional Informations

  • Energy
  • Finance
  • Transport
  • Telecommunications
  • Government and administrations
  • Defense
  • pr0fu5a.me
  • msonline.help
  • dog3rj.tech
  • zamstats.me
  • gouvn.me
  • abwxjp5.me
  • emezonhe.me
  • brackusi0n.live
  • servgate.me
  • pickupweb.me
  • q74vn.live
  • 888910.xyz
  • zrheblirsy.me
  • Taiwan
  • Czechia
  • Brazil
  • Uzbekistan
  • India
  • British Indian Ocean Territory
  • Niger
  • Panama
  • Zambia
  • Poland
  • Nigeria
  • Saudi Arabia
  • Serbia
  • Venezuela, Bolivarian Republic of
  • Papua New Guinea
  • Japan
  • United Kingdom of Great Britain and Northern Ireland
  • Namibia
  • Mongolia
  • Germany
  • Afghanistan
  • Malaysia
  • Djibouti
  • Singapore
  • Bolivia, Plurinational State of
  • Bangladesh
  • Greece
  • Sri Lanka
  • Ethiopia
  • Mexico
  • Indonesia
  • Italy
  • United States of America
  • Cyprus
  • Portugal
  • Thailand

Linked vulnerabilities

CVE-2019-11580

None
Published: