The Shadow Campaigns: Uncovering Global Espionage

Unit 42 attributes a large-scale, state-aligned cyberespionage campaign (TGR-STA-1030 / “Shadow Campaigns”) active since at least 2024 that has compromised government and critical-infrastructure organizations in 37 countries; the report documents phishing and exploitation tradecraft, payloads (Diaoyu loader, Cobalt Strike), a novel Linux eBPF rootkit (ShadowGuard), C2 tooling and infrastructure, targeted victimology, and provides IoCs and defensive guidance.