Full Report
A new state-aligned cyberespionage threat group tracked as TGR-STA-1030/UNC6619, has conducted a global-scale operation dubbed the "Shadow Campaigns," where it targeted government infrastructure in 155 countries. [...]
Analysis Summary
# Threat Actor: TGR-STA-1030/UNC6619
## Attribution & Identity
* **Identification:** State-aligned cyberespionage threat group.
* **Tracking IDs:** TGR-STA-1030/UNC6619.
* **Origin Confidence:** High confidence that the group operates from Asia.
* **Maturity:** Assessed as an operationally mature espionage actor.
## Activity Summary
The group is conducting a global-scale operation dubbed the **"Shadow Campaigns."**
* **Active Since:** At least January 2024.
* **Confirmed Compromises:** Successfully compromised at least 70 government and critical infrastructure organizations across 37 countries between November and December (the preceding year mentioned, implied 2025).
* **Reconnaissance:** Engaged in reconnaissance activity targeting government entities connected to 155 countries during November and December.
* **Event-Driven Activity:** Showed increased interest and scanning activity across North, Central, and South America during the U.S. government shutdown in October 2025. Specifically, conducted significant reconnaissance against "at least 200 IP addresses hosting Government of Honduras infrastructure" 30 days before the national election.
* **European Focus:** Targeted European Union infrastructure (scanning IPs hosting `*.europa.eu` domains) and, in July 2025, initiated connections to over 490 IP addresses hosting German government systems.
## Tactics, Techniques & Procedures
* **Initial Access:** Highly tailored spear-phishing emails sent to government officials, often referencing internal ministry reorganization efforts.
* **Delivery:** Emails embedded links to malicious archives hosted on Mega.nz storage service.
* **Analysis Evasion (Loader):** The initial malware loader, **Diaoyu**, performs checks before executing the main payload:
* Hardware check: Requires a host screen resolution greater than or equal to 1440.
* File integrity check: Requires the presence of a zero-byte file named `pic1.png` in the execution directory; terminates if absent.
* **Payload Delivery:** Diaoyu fetches **Cobalt Strike** payloads and the **VShell** framework for C2 under specific conditions.
* **Persistence/Defense Evasion (Kernel Level):** Utilizes a custom kernel-level rootkit dubbed **ShadowGuard**.
* Manipulates core system functions and audit logs to conceal activity before security tools register data.
* Hides up to 32 process IDs (PIDs) from standard Linux monitoring tools using syscall interception.
* Hides files and directories named `swsecret` from manual inspection.
* **Lateral Movement/C2:** Uses VShell framework and Cobalt Strike.
## Targeting
* **Sectors:** Government ministries, law enforcement, border control, finance, trade, energy, mining, immigration, diplomatic agencies, political issue groups, and power equipment industry suppliers.
* **Geography:** Global scope, targeting entities in 155 countries, with confirmed compromises in 37 countries across multiple continents.
* **Americas:** Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, Trinidad and Tobago, Bolivia, Venezuela (implied facility compromise).
* **Europe:** Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, Serbia, and EU infrastructure.
* **Asia/Oceania:** Taiwan, Indonesia, Malaysia, Mongolia, Thailand, Australia, Afghanistan, Nepal.
* **Africa:** Democratic Republic of the Congo, Djibouti, Ethiopia, Namibia, Niger, Nigeria, and Zambia.
* **Victims (Confirmed/Attempted Inclusion):**
* Brazil’s Ministry of Mines and Energy.
* Bolivian entity associated with mining.
* Two Mexican ministries.
* Government infrastructure in Panama.
* Venezolana de Industria Tecnológica facility (IP geolocation).
* Government entities in Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia.
* Indonesian airline.
* Multiple Malaysian government departments and ministries.
* Mongolian law enforcement entity.
* Major supplier in Taiwan's power equipment industry.
* Thai government department.
* Critical infrastructure entities in several African nations.
* Targeted connection attempts against Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers.
## Tools & Infrastructure
* **Malware Families:** Diaoyu (loader), Cobalt Strike (payloads), VShell framework, ShadowGuard (kernel-level rootkit).
* **Infrastructure:**
* Hosting on legitimate VPS providers in the U.S., Singapore, and the UK.
* Use of relay servers for traffic obfuscation.
* Use of residential proxies or Tor for proxying.
* C2 domains designed to look familiar to the target (e.g., using `.gouv` TLD for French-speaking countries).
* Reported C2 domain example: `dog3rj[.]tech`.
## Implications
TGR-STA-1030/UNC6619 represents a highly capable and operationally mature espionage threat actor. Its primary focus is on acquiring strategic, economic, and political intelligence, evidenced by its global reach and targeting of high-value government and critical infrastructure entities across 155 countries. The use of advanced evasion techniques, including kernel-level rootkits and file-based integrity checks, suggests a significant operational security focus and high potential for long-term compromise.
## Mitigations
* Implement enhanced email security to detect and block highly tailored phishing attempts and links hosted on temporary file-sharing services like Mega.nz.
* Monitor for unusual execution conditions, specifically looking for processes that rely on specific hardware configurations (like screen resolution checks) or the presence/absence of specific marker files (`pic1.png`).
* Deploy advanced endpoint detection and response (EDR) or XDR solutions capable of detecting kernel manipulation, syscall interception, and evidence of zero-byte file checks.
* Rigorously monitor kernel/system call activity for anomalous function hooking, especially related to core audit logging functions (indicative of ShadowGuard activity).
* Review network traffic for connections utilizing residential proxies or Tor, specifically targeting infrastructure or C2 domains resembling official structures (e.g., spoofed TLDs).