The Shadow Campaigns: Uncovering Global Espionage

Unit 42 attributes a large-scale, state-aligned cyberespionage campaign — tracked as TGR-STA-1030 and called the Shadow Campaigns — to an Asia-based actor that has compromised government and critical infrastructure across 37 countries using phishing, exploitation, C2 frameworks and a novel eBPF rootkit. The group used tools including Diaoyu Loader, Cobalt Strike, VShell, web shells and the ShadowGuard rootkit while targeting ministries and organizations tied to economic and resource partnerships. #TGR-STA-1030 #ShadowGuard

Keypoints

TGR-STA-1030 (aka UNC6619) is assessed with high confidence as a state-aligned group operating out of Asia, active since at least January 2024 and responsible for compromises across 37 countries.
The group primarily targets government ministries and critical infrastructure, including five national-level law enforcement/border control entities and multiple ministries of finance and trade.
Initial access techniques include targeted phishing campaigns (links to archives hosted on mega[.]nz) and exploitation of known N-day vulnerabilities rather than zero-days.
Notable tooling and techniques include Diaoyu Loader (with sandbox-evasion checks), Cobalt Strike and a transition to VShell, additional frameworks (Havoc, SparkRat, Sliver), common web shells (Behinder, Neo-reGeorg, Godzilla) and tunneling tools (GOST, FRPS, IOX).
Unit 42 discovered a unique Linux eBPF kernel rootkit named ShadowGuard that provides kernel-level process and file hiding, syscall interception and an allow-listing mechanism.
Infrastructure practices include multi-tiered C2 hosted on legitimate VPS providers in jurisdictions with strong rule of law, use of relays and residential/Tor proxies, and occasional upstream connections from AS9808 IPs in the actor’s region.
Unit 42 provided defensive IoCs (IPs, domains, SHA256 hashes, filenames) to impacted entities and industry partners and highlights Palo Alto Networks protections to mitigate the threat.

MITRE Techniques

[T1566.002 ] Spearphishing Link – Actors sent targeted emails with a ‘lure of a ministry or department reorganization and links to malicious files hosted on mega[.]nz.’
[T1204.002 ] User Execution: Malicious File – Victims are induced to download and execute archives and executables such as ‘Politsei- ja Piirivalveameti organisatsiooni struktuuri muudatused.zip’ and DiaoYu.exe which triggers payload deployment.
[T1190 ] Exploit Public-Facing Application – The group attempted and leveraged numerous N-day exploits, for example they ‘attempted to exploit CVE-2019-11580, uploading a payload named rce.jar.’
[T1505.003 ] Web Shell – The actor frequently deployed web shells (Behinder, Neo-reGeorg, Godzilla) on external and internal web servers for persistent access: ‘the three most common web shells used by the group are Behinder, Neo-reGeorg and Godzilla.’
[T1071.001 ] Application Layer Protocol: Web Protocols – C2 frameworks and web access were configured over web protocols and ephemeral TCP ports: ‘the group often configures its web access on 5-digit ephemeral TCP ports using ordered numbers.’
[T1572 ] Protocol Tunneling – The group tunneled traffic through tools such as ‘GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX’ to move and anonymize traffic.
[T1014 ] Rootkit – The actor deployed a Linux eBPF kernel rootkit named ShadowGuard for kernel-level concealment and process/file hiding: ‘we identified the group using a new Linux kernel rootkit, ShadowGuard.’
[T1041 ] Exfiltration Over Command and Control Channel – The campaign’s upstream connections and multi-tiered C2 infrastructure support data theft and exfiltration back to actor-controlled networks: ‘the primary goal of an espionage group is to steal data.’

Indicators of Compromise

[IP Addresses ] C2/relay infrastructure and victim-facing hosts – 138.197.44[.]208, 142.91.105[.]172, and 10 more IPs
[Domains ] Domains used for C2, lures and targeting – gouvn[.]me, dog3rj[.]tech, and 10 more domains
[Phishing/Downloader SHA256 ] Downloader artifacts observed in phishing archives – 66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0, 23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe
[Cobalt Strike SHA256 ] Cobalt Strike payloads linked to actor operations – 5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe, 358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a, and 5 more hashes
[ShadowGuard SHA256 ] eBPF rootkit sample unique to this group – 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d
[CVE-2019-11580 Exploit SHA256 ] Exploit payload tied to Atlassian Crowd targeting – 9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4
[File Names ] Malicious archive and executable observed in phishing lure – ‘Politsei- ja Piirivalveameti organisatsiooni struktuuri muudatused.zip’, DiaoYu.exe (original name DiaoYu.exe) and auxiliary file pic1.png used as an execution guardrail

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print