Don’t Hack On Me — Signal

February 15, 2026

The Story

Palo Alto’s Unit 42 dropped a report on February 5 detailing what they’re calling the “Shadow Campaigns” — a state-aligned cyberespionage operation that compromised over 70 organizations across 37 countries in the past year. The group, tracked as TGR-STA-1030 (also known as UNC6619), has been active since at least January 2024 and hit some of the highest-value targets on the board: national law enforcement agencies, ministries of finance and foreign affairs, a parliament, a senior elected official, and national telecom providers. Between November and December 2025 alone, they conducted active reconnaissance against government infrastructure in 155 countries. That’s roughly one in five nations on earth.

The technical details are serious. The group deployed a previously unknown Linux kernel rootkit called ShadowGuard — an eBPF-based rootkit that runs in kernel space without appearing as a loadable module, making it extremely difficult to detect with conventional tools. It can hide up to 32 processes simultaneously, intercept system calls, and conceal files and directories. They also rotated through Cobalt Strike, VShell (a Go-based C2), Havoc, SparkRat, and Sliver across different phases of the campaign. Their persistence toolkit included Behinder and Godzilla web shells, plus GOST and FRPS tunneling tools.

Here’s where it gets interesting — and where the story becomes about more than just TTPs. Unit 42’s published report attributed TGR-STA-1030 to a “state-aligned group that operates out of Asia” with “activity patterns aligned with GMT+8.” That’s deliberately vague. On February 12, Reuters reported that the original draft of the report attributed the campaign to China. According to Reuters, Palo Alto Networks executives — not the researchers — ordered the attribution stripped. The reason: fear of retaliation from Beijing. Palo Alto has five offices in China and was among roughly 15 U.S. and Israeli cybersecurity firms that China has banned on national security grounds. The company denied the claims.

Source: The Shadow Campaigns: Uncovering Global Espionage (Unit 42, February 5, 2026)

Who’s Covering This

• Reuters — Broke the exclusive that Palo Alto execs overrode researchers and stripped China attribution from the report due to fear of retaliation from Beijing. The real story behind the story. (February 12, 2026)

• BleepingComputer — Emphasizes the reconnaissance scope: 155 countries scanned, 37 compromised, critical infrastructure across the board. (February 5, 2026)

• SecurityWeek — Focuses on victim types — ministries, law enforcement, border control — and the ShadowGuard rootkit discovery. (February 5, 2026)

• The Hacker News — Technical breakdown of the breach scale, phishing lures, and the Diaoyu loader malware. (February 6, 2026)

• SC Media — Covers the attribution controversy angle — corporate self-censorship in threat intelligence reporting. (February 2026)

What Does This Mean to Me?

If you’re in the security operations: Here’s the thing that matters most: this group used zero zero-days. Every exploit in their toolkit was an N-day — known vulnerabilities with patches available, some dating back to 2019. They weaponized Microsoft Exchange RCE, SAP Solution Manager privilege escalation, Atlassian Crowd (CVE-2019-11580), and D-Link RCE, among others. A state-aligned group that compromised 70+ organizations across 37 countries did it with bugs you’ve had patches for. That’s your action item. Check your exposure against the CVEs listed in the Unit 42 report. Hunt for the IOCs — they published IP addresses, domains, and file hashes. And if you’re running Linux infrastructure, understand that eBPF-based rootkits like ShadowGuard represent a real detection gap. Traditional kernel module monitoring won’t catch it. Start looking at eBPF monitoring capabilities in your stack.

If you’re in leadership: The attribution controversy is worth paying attention to — but not for the reasons the headlines suggest. Reuters reporting that Palo Alto stripped China attribution under corporate pressure is a reminder that threat intelligence from vendors is filtered through commercial interests. That’s always been true, but it’s rarely this visible. Factor that into how you consume vendor threat intel.

But here’s the bigger point: it doesn’t matter who the adversary is. Whether this is China, Russia, or anyone else operating out of GMT+8 — the vulnerabilities they exploited are the same. The patches are the same. The defensive actions are the same. We spend too much time in this industry debating flags and not enough time patching the CVEs from 2019 that state-sponsored groups are still using to walk through the front door. The targeting in this campaign aligned with geopolitical interests — rare earth mining deals, diplomatic pressure points, trade negotiations — but the exploitation was pure opportunism against unpatched systems. Attribution is interesting. Patching is what keeps you from being in the next report.

The bigger picture: A state-aligned espionage group hit 70 organizations across 37 countries using nothing but known vulnerabilities, commodity C2 frameworks, and one novel rootkit. They compromised parliaments, ministries, and law enforcement agencies. And when the security vendor that discovered it tried to tell the world who did it, corporate leadership said no. Every part of that sentence should bother you — but the part you can actually control is whether your systems are patched. Start there.

Stay alert. Don’t let them hack on you.

Subscribe to Don’t Hack On Me

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.