Over the past year, an Asian cyber-espionage group carried out a massive global hacking campaign, compromising the critical infrastructure of some 37 foreign governments, according to a new report.
The primary targets were government departments and ministries, including those pertaining to trade, natural resources, border control and diplomacy. The operation also affected one country’s parliament and multiple national police organizations.
“Its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services,” Palo Alto Networks, a cybersecurity firm, said in a lengthy report published on Thursday.
Espionage seems to have been the main motivation for the attacks, as hackers regularly sought access to email communications, Pete Renals, the director of national security programs with Unit 42, the firm’s threat intelligence division, told Bloomberg.
The U.S. government was not affected by the campaign, but the Cybersecurity and Infrastructure Security Agency said it is aware of the attacks and is collaborating with partners to patch up any existing vulnerabilities.
The group’s activity — referred to as “Shadow Campaigns” — was first identified by Palo Alto Networks in early 2025, amid the investigation of several phishing campaigns against European governments. The firm’s subsequent probe revealed the group had been active since January 2024.
While the firm stopped short of naming a specific country, it said the hacks originated from a “state-aligned group that operates out of Asia.”
It based this conclusion on the use of language settings, certain regional tools and the hacking of assets that “align with events and intelligence of interest to the region.” One campaign took place after the Czech president Petr Pavel met with the Dalai Lama — who has been condemned as a separatist by the Chinese government.
The campaign is the largest cyber-espionage operation conducted by a state-aligned group since the SolarWinds breach in 2020, according to Axios.
Among the nations impacted were Mexico, Brazil, Germany, Italy, India, Indonesia, Japan and Mongolia. A total of 70 state-aligned organizations were compromised.
Hackers targeted Brazil’s Ministry of Mines and Energy, per Palo Alto Networks. The South American nation is believed to have one of the world’s largest supplies of rare earth minerals.
“As Asian companies tighten their global control on these resources, the U.S. has begun looking to Brazil for alternative sourcing,” the firm said.
Two of Mexico’s ministries were affected in hacks likely related to global trade agreements, while government infrastructure in Panama was also impacted.
“Perhaps the most pronounced reconnaissance occurred on Oct. 31, 2025, when we observed connections to at least 200 IP addresses hosting Government of Honduras infrastructure,” the firm said. This activity came just days before the country’s election, which featured candidates who favored returning to diplomatic relations with Taiwan.
Last year, the group reportedly also ramped up its focus on European nations, applying a concerted effort towards Germany over the summer. Nearly 500 IP addresses connected to government infrastructure were hit.
And, in August, the cyber group zeroed in on the Czech Republic after its president met with the Dalai Lama in India. Months later, after it was reported that Petr Pavel would attend the religious leader’s 90th birthday gala, another round of scanning targeted the president’s website.
The “Shadow Campaigns” are also believed to have compromised state entities in Cyprus, Greece, Poland, Portugal and Serbia.
