Cyber Security News

“JackMa” & ShadowGuard: TGR-STA-1030 Spies on 37 Nations via Linux Rootkit

CybersecurityNews
“JackMa” & ShadowGuard: TGR-STA-1030 Spies on 37 Nations via Linux Rootkit

Unit 42 reveals a state-aligned cyber espionage campaign by TGR-STA-1030 (also tracked as UNC6619) that infiltrated government networks across 37 countries and compromised at least 70 organizations, focusing on finance ministries, law enforcement, and critical infrastructure. The Asia-based group times operations to geopolitical events and uses sophisticated phishing (links hosted on mega.nz), the Diaoyu Loader with sandbox-evasion, and a kernel-level eBPF rootkit called ShadowGuard to hide its activity. #TGR-STA-1030 #DiaoyuLoader

Keypoints

  • Unit 42 links TGR-STA-1030 (UNC6619) to espionage across 37 countries and at least 70 compromised organizations.
  • The group times intrusions to coincide with geopolitical events such as elections, diplomatic visits, and mining disputes.
  • Primary access is gained via targeted phishing campaigns using malicious archives hosted on mega.nz.
  • Malware includes Diaoyu Loader, which evades sandboxes using a missing auxiliary file (pic1.png), and ShadowGuard, a kernel-level eBPF Linux rootkit that hides process IDs.
  • Digital indicators—GMT+8 activity patterns, regional tooling, language settings, and a “JackMa” handle—point to an Asia-based operator.

Read More: https://securityonline.info/jackma-shadowguard-tgr-sta-1030-spies-on-37-nations-via-linux-rootkit/