Find notable cyber news and cases, enriched with sources, timelines, and signals.

TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation

Campaign
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The TGR-STA-1030/UNC6619 operation Shadow Campaigns expanded a state-sponsored espionage effort that compromised at least 70 organizations across 37 countries, increasing risk to government and critical infrastructure networks. The activity also reached government entities connected to 155 countries through broader reconnaissance. Initial access relied on phishing, malicious archives, and exploitation of at least 15 known vulnerabilities.

Related Happenings

StrikeShark SharkLoader and Cobalt Strike Beacon campaign

Campaign
H score42 First: 26.06.2026 21:17 Last: 26.06.2026 21:17 Sources 1

About this happening: The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...

CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT

Campaign
H score18 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...

Earth Lusca Operation FishMedley espionage campaign

Campaign
H score38 First: 16.06.2026 12:44 Last: 16.06.2026 12:44 Sources 1

About this happening: A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...

OceanLotus SPECTRALVIPER campaigns targeting Vietnam

Campaign
H score33 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...

First VPN had assets seized in First VPN takedown

Law Enforcement
H score17 First: 21.05.2026 18:30 Last: 21.05.2026 18:30 Sources 1

About this happening: Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...

Timeline

  1. 07.02.2026 17:09 1 articles · 5mo ago

    Shadow Campaigns espionage overview

    Initial Disclosure

    Palo Alto Networks Unit 42 describes a state-sponsored espionage campaign tracked as TGR-STA-1030/UNC6619 and dubbed Shadow Campaigns that has been active since at least January 2024, compromised at least 70 government and critical infrastructure organizations across 37 countries, and involved reconnaissance against government entities connected to 155 countries. The operation targeted ministries, law enforcement, border control, finance, trade, energy, mining, immigration, diplomatic agencies, and other government and critical infrastructure organizations, using tailored phishing emails with Mega.nz-hosted malicious archives containing Diaoyu, which could fetch Cobalt Strike and VShell after analysis-evasion checks, while also leveraging at least 15 known vulnerabilities and a custom Linux eBPF rootkit called ShadowGuard.

    Show sources