A state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 conducted global espionage operations called “Shadow Campaigns,” compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance against entities in 155 countries. The group used tailored phishing with Mega.nz-hosted archives, the Diaoyu loader (delivering Cobalt Strike and VShell), multiple exploit chains, and a custom eBPF Linux rootkit named ShadowGuard to evade detection and maintain persistent access. #TGR-STA-1030 #ShadowGuard
Keypoints
- TGR-STA-1030/UNC6619 compromised at least 70 government and critical infrastructure organizations across 37 countries.
- Primary targets included ministries, law enforcement, border control, finance, energy, trade, and diplomatic agencies.
- Initial access was achieved via highly tailored phishing (Mega.nz archives with Diaoyu) and exploitation of at least 15 known vulnerabilities including SAP and Microsoft Exchange.
- Researchers discovered a bespoke Linux eBPF rootkit, ShadowGuard, which hides processes, files, and audit data at the kernel level.
- Operators used familiar-looking C2 domains, VPS, relay servers, residential proxies/Tor, and environment checks to evade analysis and security products.