• Executive Summary This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. • We refer to the group’s activity as the Shadow Campaigns. • We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. • Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. • This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. • Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries.
Article Summaries:
- Summary
Unit 42’s latest report identifies a new state‑aligned cyberespionage group, TGR‑STA‑1030 (also known as UNC6619), operating from Asia. Over the past year the group has compromised critical government and infrastructure entities in 37 countries-about one in five nations-and conducted reconnaissance against 155 countries between November and December 2025. Targets include ministries of finance, law enforcement, border control, and departments handling economic, trade, natural resources, and diplomatic functions. Unit 42 has shared technical indicators and defensive guidance with industry peers and notified affected entities, offering assistance through responsible disclosure. The report details the group’s phishing, exploitation techniques, and infrastructure, emphasizing its focus on countries pursuing specific economic partnerships.
Sources: