Rectifyq📃Title: The Shadow Campaigns: Uncovering Global Espionage
📅Date: 2026-02-05
🔗References:
Description
This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies, and departments related to economic, trade, and diplomatic functions. The group employs sophisticated phishing and exploitation techniques, leveraging various tools and infrastructure to maintain persistent access. Their activities span across the Americas, Europe, Asia, Oceania, and Africa, with a focus on countries exploring certain economic partnerships. The group’s operations often coincide with significant geopolitical events and economic interests, particularly in sectors like rare earth minerals and international trade agreements.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: TA-profile
- target: targeted
- MY-relevancy: relevant
- action-taken: diamond-model
🔖MISP Galaxies:
- producer Palo-Alto
- target-information=“United States”
- target-information=“United Kingdom”
- target-information=“Singapore”
- target-information=“Brazil”
- target-information=“Mexico”
- target-information=“Panama”
- target-information=“Cyprus”
- target-information=“Czech Republic”
- target-information=“Germany”
- target-information=“Greece”
- target-information=“Italy”
- target-information=“Poland”
- target-information=“Portugal”
- target-information=“Serbia”
- target-information=“Afghanistan”
- target-information=“Bangladesh”
- target-information=“British Indian Ocean Territory”
- target-information=“India”
- target-information=“Indonesia”
- target-information=“Japan”
- target-information=“Malaysia”
- target-information=“Mongolia”
- target-information=“Papua New Guinea”
- target-information=“Saudi Arabia”
- target-information=“Sri Lanka”
- target-information=“Taiwan”
- target-information=“Thailand”
- target-information=“Uzbekistan”
- target-information=“Djibouti”
- target-information=“Ethiopia”
- target-information=“Namibia”
- target-information=“Niger”
- target-information=“Nigeria”
- target-information=“Zambia”
- target-information=“Bolivia”
- target-information=“Venezuela”
- sector=“Government, Administration”
- sector=“Finance”
- malpedia=“Cobalt Strike”
- online-service=“4605654f-8487-4d17-bfbb-bbcc223281d5”
- online-service=“3b16bb5a-eb4f-4603-a909-bebc5df4a46d”
- malpedia=“Havoc”
- malpedia=“Sliver”
- malpedia=“SparkRAT”
- malpedia=“Vshell”
- mitre-attack-pattern=[‘T1204.002’, ‘T1584.003’, ‘T1190’, ‘T1583.001’, ‘T1021.002’, ‘T1505.003’, ‘T1583.004’, ‘T1090’, ‘T1059’, ‘T1583.003’, ‘T1102’, ‘T1588.002’, ‘T1566’, ‘T1078’, ‘T1027’, ‘T1584.004’, ‘T1105’, ‘T1021.001’, ‘T1204.001’, ‘T1584.001’]
MISP event uuid: 14c1cdc4-4306-4f92-9f44-7d6b5ea0d20e
Indicator of Compromise (IoCs)
type,value,comment
ip-dst, 138.197.44.208, ''
ip-dst, 157.230.34.45, ''
ip-dst, 188.127.251.171, ''
ip-dst, 188.166.210.146, ''
sha256, 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d, 'ShadowGuard No sample in VT\r\nLast check:07/02/2026'
ip-dst, 142.91.105.172, ''
ip-dst, 146.190.152.219, ''
ip-dst, 157.245.194.54, ''
ip-dst, 159.203.164.101, ''
ip-dst, 178.128.109.37, ''
ip-dst, 178.128.60.22, ''
ip-dst, 208.85.21.30, ''
domain, 888910.xyz, ''
domain, abwxjp5.me, ''
domain, brackusi0n.live, ''
domain, dog3rj.tech, ''
domain, emezonhe.me, ''
domain, gouvn.me, ''
domain, msonline.help, ''
domain, pickupweb.me, ''
domain, pr0fu5a.me, ''
domain, q74vn.live, ''
domain, servgate.me, ''
domain, zamstats.me, ''
domain, zrheblirsy.me, ''
ip-dst, 159.65.156.200, ''
url, https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/admin-bar-sprite.png, 'the malware downloads the following files from GitHub'
url, https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/Linux.jpg, 'the malware downloads the following files from GitHub'
url, https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/Windows.jpg, 'the malware downloads the following files from GitHub'
Full IOCs available in Rectifyq's MISP```