TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation
Campaign
Summary
Hide ▲
Show ▼
The TGR-STA-1030/UNC6619 operation Shadow Campaigns expanded a state-sponsored espionage effort that compromised at least 70 organizations across 37 countries, increasing risk to government and critical infrastructure networks. The activity also reached government entities connected to 155 countries through broader reconnaissance. Initial access relied on phishing, malicious archives, and exploitation of at least 15 known vulnerabilities.
Related Happenings
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
Campaign
H score42
First: 26.06.2026 21:17
Last: 26.06.2026 21:17
Sources 1
About this happening:
The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
CampaignAbout this happening: The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignAbout this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
Earth Lusca Operation FishMedley espionage campaign
Campaign
H score38
First: 16.06.2026 12:44
Last: 16.06.2026 12:44
Sources 1
About this happening:
A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...
Earth Lusca Operation FishMedley espionage campaign
CampaignAbout this happening: A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
Campaign
H score33
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
**OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
CampaignAbout this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
First VPN had assets seized in First VPN takedown
Law Enforcement
H score17
First: 21.05.2026 18:30
Last: 21.05.2026 18:30
Sources 1
About this happening:
Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...
First VPN had assets seized in First VPN takedown
Law EnforcementAbout this happening: Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...
Timeline
-
07.02.2026 17:09 1 articles · 5mo ago
Shadow Campaigns espionage overview
Initial DisclosurePalo Alto Networks Unit 42 describes a state-sponsored espionage campaign tracked as TGR-STA-1030/UNC6619 and dubbed Shadow Campaigns that has been active since at least January 2024, compromised at least 70 government and critical infrastructure organizations across 37 countries, and involved reconnaissance against government entities connected to 155 countries. The operation targeted ministries, law enforcement, border control, finance, trade, energy, mining, immigration, diplomatic agencies, and other government and critical infrastructure organizations, using tailored phishing emails with Mega.nz-hosted malicious archives containing Diaoyu, which could fetch Cobalt Strike and VShell after analysis-evasion checks, while also leveraging at least 15 known vulnerabilities and a custom Linux eBPF rootkit called ShadowGuard.
Show sources
- State actor targets 155 countries in 'Shadow Campaigns' espionage op — www.bleepingcomputer.com — 07.02.2026 17:09