Shadow Campaign: Cyberespionage Operation Uncovered On 37 Countries
A newly identified state-sponsored cyberespionage group has launched a sweeping campaign against governments and critical infrastructure worldwide, according to research released by Palo Alto Networks.
The group, tracked as TGR-STA-1030, is behind what the firm has dubbed the Shadow Campaign—a sophisticated operation with hallmarks of a nation-state actor operating out of Asia. Indicators such as language preferences, infrastructure location, and activity patterns aligned with the GMT+8 timezone point toward a Chinese-linked threat profile, though Palo Alto has stopped short of direct attribution.
Scale of the Attack
- 70 organizations compromised across 37 countries
- Reconnaissance activity spanning 155 countries
- High-value targets included:
- National parliaments and senior elected officials
- Law enforcement and border control agencies
- Ministries of finance, trade, and diplomacy
- National telecom providers and counter-terrorism organizations
“This group compromised one nation’s parliament and a senior elected official of another. It also compromised national-level telecommunications companies and several national police and counter-terrorism organizations.
Techniques and Tools
- Initial Access: Phishing emails delivering a custom malware loader. Unlike typical loaders that check for dozens of security products, this one only scans for five—likely to reduce detection risk.
- Custom Rootkit: The campaign introduced ShadowGuard, a previously unknown Linux kernel rootkit capable of altering system data and concealing attacker presence.
- Exploitation: While no zero-day exploits were observed, attackers attempted to leverage known vulnerabilities in widely used products from Microsoft, SAP, Atlassian, D-Link, Apache, Commvault, and several Chinese vendors.
Timeline
- Active since at least January 2024
- First detected by Palo Alto in early 2025, initially targeting European governments
Why It Matters
The Shadow Campaign highlights the evolving threat landscape where cyberespionage groups are not only stealing intelligence but also positioning themselves to disrupt critical services. With targets spanning parliaments, telecoms, and law enforcement, the long-term implications for national security are profound.
As part of investigation into the Shadow Campaign, it was identified as a new Linux kernel rootkit, which we’ve named ShadowGuard. The sample analyzed (SHA-256: “(7808B1E01EA790548B472026AC783C73A033BB90BBE548BF3006ABFBCB48C52D)” is an Extended Berkeley Packet Filter (eBPF) rootkit designed for Linux systems. At this time, we believe ShadowGuard is unique to this threat group.
Why eBPF Rootkits Are Stealthy
eBPF backdoors are notoriously difficult to detect because they run entirely inside the kernel’s trusted environment. Unlike traditional modules, eBPF programs don’t appear as separate components. Instead, they execute within the kernel’s BPF virtual machine, allowing attackers to intercept and manipulate system functions and audit logs before security tools can capture the real data.
ShadowGuard’s Capabilities
ShadowGuard uses eBPF to deliver advanced stealth features:
- Kernel-level concealment: Hides process details directly at the kernel level.
- Process hiding via syscall interception: Intercepts system calls and uses custom kill signals to identify which processes should be hidden.
- PID invisibility: Can conceal up to 32 processes at once, making them invisible to user-space tools like
ps aux. - File and directory hiding: Hard-coded to hide files and directories named
swsecret. - Allow-listing: Includes a mechanism to exempt certain processes from hiding, ensuring attacker-controlled applications remain visible and functional.
Startup Checks
When launched, ShadowGuard automatically verifies:
- Root privileges
- eBPF support
- Tracepoint support
These checks ensure the rootkit only runs in environments where it can fully leverage kernel-level stealth.
Implications
ShadowGuard represents a significant advancement in attacker tradecraft. By embedding itself invisibly into the kernel, it enables long-term persistence, evasion of detection, and manipulation of system visibility. For defenders, this underscores the urgent need to strengthen monitoring and detection capabilities for eBPF-based threats—an area where traditional security tools often fall short.
Indicators of Compromise
IP Addresses
- 138.197.44[.]208
- 142.91.105[.]172
- 146.190.152[.]219
- 157.230.34[.]45
- 157.245.194[.]54
- 159.65.156[.]200
- 159.203.164[.]101
- 178.128.60[.]22
- 178.128.109[.]37
- 188.127.251[.]171
- 188.166.210[.]146
- 208.85.21[.]30
Domains
- abwxjp5[.]me
- brackusi0n[.]live
- dog3rj[.]tech
- emezonhe[.]me
- gouvn[.]me
- msonline[.]help
- pickupweb[.]me
- pr0fu5a[.]me
- q74vn[.]live
- servgate[.]me
- zamstats[.]me
- zrheblirsy[.]me
Phishing/Downloader SHA256
- 66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0
- 23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe
Cobalt Strike SHA256
- 5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe
- 358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a
- 293821e049387d48397454d39233a5a67d0ae06d59b7e5474e8ae557b0fc5b06
- c876e6c074333d700adf6b4397d9303860de17b01baa27c0fa5135e2692d3d6f
- b2a6c8382ec37ef15637578c6695cb35138ceab42ce4629b025fa4f04015eaf2
- 5ddeff4028ec407ffdaa6c503dd4f82fa294799d284b986e1f4181f49d18c9f3
- 182a427cc9ec22ed22438126a48f1a6cd84bf90fddb6517973bcb0bac58c4231
ShadowGuard SHA256
- 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d
CVE-2019-11580 Exploit SHA256
- 9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4
Important Reference : Decoding Shell
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
