The Shadow Campaigns: Uncovering Global Espionage

    Friday, February 6, 2026 In: Threat Research Print

    Date: 02/05/2026

    Severity: High

    Summary

    The Shadow Campaigns reveal a highly sophisticated, state-aligned cyberespionage group tracked as TGR-STA-1030, assessed to operate out of Asia and responsible for extensive compromises of government and critical infrastructure organizations worldwide. Over the past year, the group breached entities across 37 countries and conducted large-scale reconnaissance against government infrastructure in 155 countries, primarily targeting law enforcement, finance ministries, and departments tied to economic, trade, natural resource, and diplomatic functions—highlighting a globally coordinated espionage effort driven by strategic economic and geopolitical interests.

    Indicators of Compromise (IOC) List

    URLs/Domains

    abwxjp5.me

    brackusi0n.live

    dog3rj.tech

    emezonhe.me

    gouvn.me

    msonline.help

    pickupweb.me

    pr0fu5a.me

    q74vn.live

    servgate.me

    zamstats.me

    zrheblirsy.me

    IP Address

    138.197.44.208

    142.91.105.172

    146.190.152.219

    157.230.34.45

    157.245.194.54

    159.65.156.200

    159.203.164.101

    178.128.60.22

    178.128.109.37

    188.127.251.171

    188.166.210.146

    208.85.21.30

    Hash

    66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0

    23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe

    5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe

    358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a

    293821e049387d48397454d39233a5a67d0ae06d59b7e5474e8ae557b0fc5b06

    c876e6c074333d700adf6b4397d9303860de17b01baa27c0fa5135e2692d3d6f

    b2a6c8382ec37ef15637578c6695cb35138ceab42ce4629b025fa4f04015eaf2

    5ddeff4028ec407ffdaa6c503dd4f82fa294799d284b986e1f4181f49d18c9f3

    182a427cc9ec22ed22438126a48f1a6cd84bf90fddb6517973bcb0bac58c4231

    7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d

    9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "q74vn.live" or siteurl like "q74vn.live" or url like "q74vn.live" or domainname like "zrheblirsy.me" or siteurl like "zrheblirsy.me" or url like "zrheblirsy.me" or domainname like "servgate.me" or siteurl like "servgate.me" or url like "servgate.me" or domainname like "pickupweb.me" or siteurl like "pickupweb.me" or url like "pickupweb.me" or domainname like "pr0fu5a.me" or siteurl like "pr0fu5a.me" or url like "pr0fu5a.me" or domainname like "dog3rj.tech" or siteurl like "dog3rj.tech" or url like "dog3rj.tech" or domainname like "emezonhe.me" or siteurl like "emezonhe.me" or url like "emezonhe.me" or domainname like "brackusi0n.live" or siteurl like "brackusi0n.live" or url like "brackusi0n.live" or domainname like "msonline.help" or siteurl like "msonline.help" or url like "msonline.help" or domainname like "zamstats.me" or siteurl like "zamstats.me" or url like "zamstats.me" or domainname like "gouvn.me" or siteurl like "gouvn.me" or url like "gouvn.me" or domainname like "abwxjp5.me" or siteurl like "abwxjp5.me" or url like "abwxjp5.me"

    Detection Query 2 :

    dstipaddress IN ("188.166.210.146","157.245.194.54","159.65.156.200","159.203.164.101","188.127.251.171","157.230.34.45","138.197.44.208","142.91.105.172","146.190.152.219","178.128.60.22","178.128.109.37","208.85.21.30") or srcipaddress IN ("188.166.210.146","157.245.194.54","159.65.156.200","159.203.164.101","188.127.251.171","157.230.34.45","138.197.44.208","142.91.105.172","146.190.152.219","178.128.60.22","178.128.109.37","208.85.21.30")

    Detection Query 3 :

    sha256hash IN ("66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0","182a427cc9ec22ed22438126a48f1a6cd84bf90fddb6517973bcb0bac58c4231","5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe","23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe","293821e049387d48397454d39233a5a67d0ae06d59b7e5474e8ae557b0fc5b06","358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a","c876e6c074333d700adf6b4397d9303860de17b01baa27c0fa5135e2692d3d6f","5ddeff4028ec407ffdaa6c503dd4f82fa294799d284b986e1f4181f49d18c9f3","b2a6c8382ec37ef15637578c6695cb35138ceab42ce4629b025fa4f04015eaf2","7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d","9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4")

    Reference:

    https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/


    Tags

    Threat ActorAPTCyber EspionageGovernment Services and FacilitiesCritical InfrastructureFinancial Services

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.