unit42.paloaltonetworks.com/shadow-ca… This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries. This group primarily targets government ministries and departments. For example, the group has successfully compromised:
Five national-level law enforcement/border control entities Three ministries of finance and various other government ministries Departments globally that align with economic, trade, natural resources and diplomatic functions
