A massive, state-aligned cyber espionage campaign has quietly infiltrated government networks across 37 countries, targeting ministries of finance, law enforcement, and critical infrastructure. In a new report, Unit 42 exposes the operations of TGR-STA-1030 (also tracked as UNC6619), an Asia-based threat group that has compromised at least 70 organizations worldwide over the past year.
The group’s activities are meticulously timed to coincide with real-world geopolitical events, from mining disputes in Africa to high-level diplomatic meetings in Europe. One specific detail stands out from the research: “We found that one of the attackers uses the handle ‘JackMa,’ which could refer to the billionaire businessman and philanthropist who co-founded Alibaba Group.”
Sophisticated Phishing and Evasive Malware
The group’s primary entry point is sophisticated phishing. In early 2025, they targeted European governments with emails claiming to be about a “ministry reorganization.” These messages contained links to malicious archives hosted on mega.nz.
The malware inside, dubbed Diaoyu Loader (referencing the Chinese term for “fishing”), employs clever evasion tactics. According to the report: “If the malware sample is submitted to a sandbox in isolation, the absence of this auxiliary file [pic1.png] causes the process to terminate gracefully” — effectively hiding its true nature from automated analysis tools.
ShadowGuard: A Never-Before-Seen Linux Rootkit
Once inside target networks, TGR-STA-1030 establishes deep persistence. The investigation uncovered a never-before-seen Linux rootkit named ShadowGuard. This advanced tool operates at the kernel level using eBPF technology, making it nearly invisible to standard security monitoring.
“It conceals specified process IDs (PIDs), making them invisible to standard user-space analysis tools like the standard Linux ps aux command,” the Unit 42 report explains.
Strategic Targeting Aligned with Geopolitical Events
The group’s targets read like a map of strategic economic interests:
- Americas: Reconnaissance of Honduran government infrastructure spiked on October 31, 2025—just 30 days before an election where candidates discussed restoring ties with Taiwan.
- Europe: Scanning of the Czech President’s website surged shortly after it was announced he would co-patronize the Dalai Lama’s birthday gala.
- Africa: In the Democratic Republic of the Congo, a compromise in December 2025 appeared linked to a major mining spill by an Asian company that polluted local waterways.
Asia-Based Attribution
While the group uses a temporary designator, its digital footprint points clearly to Asia. Researchers found multiple indicators, including regional tooling, language settings, and activity patterns aligning with the GMT+8 time zone.
Defensive Recommendations
Organizations in government and critical infrastructure sectors should:
- Implement enhanced phishing detection for diplomatic-themed lures
- Monitor for eBPF-based kernel modifications on Linux systems
- Watch for suspicious connections to mega.nz hosting services
- Deploy behavioral analysis beyond signature-based detection
“TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide,” the report concludes, warning that the group prioritizes nations exploring new economic partnerships.
Source: Security Online / Unit 42
i enjoy reading your article, keep posting, i am a big fun and will continue following you, i am one of the best webdesign freelancer in München in Deutschland. https://webdesignfreelancermunchen.de/ check it out. Thank you