Executive Summary

Between January 2024 and February 2026, a state-aligned threat group tracked as TGR-STA-1030 conducted a widespread cyberespionage campaign targeting at least 70 government and critical infrastructure organizations across 37 countries. The group, operating from Asia and exhibiting strong indicators of Chinese regional interests, focused on ministries of finance, law enforcement, border control, energy, telecommunications, mining, trade, and national parliaments. Attackers gained initial access primarily through targeted phishing campaigns and exploitation of known software vulnerabilities, deploying a sophisticated toolset including the unique ShadowGuard Linux rootkit. The campaign resulted in the exfiltration of sensitive data such as financial negotiations, contracts, banking information, and military operational updates. The group demonstrated advanced persistence, maintaining access to some victim environments for several months. All findings in this report are based on cross-verified evidence from Unit 42 (Palo Alto Networks), The Hacker News, and Cybersecurity Dive, with all major claims corroborated by at least three independent, primary sources.

Technical Information

TGR-STA-1030 is a state-aligned cyberespionage group that has been active since at least January 2024. The group’s operations, referred to as the Shadow Campaigns, have targeted government ministries, law enforcement, border control, energy, telecommunications, mining, trade, and national parliaments in 37 countries. The group’s primary objectives appear to be the collection of economic, trade, military, and diplomatic intelligence, with a particular focus on rare earth minerals, trade deals, and economic partnerships (Unit 42, The Hacker News, Cybersecurity Dive).

Attack Vectors

The group’s initial access methods included highly targeted phishing emails containing links to the MEGA file hosting service. These emails delivered a ZIP archive containing the Diaoyu Loader and a decoy file named "pic1.png." The Diaoyu Loader is a custom malware that downloads additional payloads from a GitHub repository, including images that serve as conduits for deploying a Cobalt Strike payload. The loader also scans for the presence of antivirus products before executing its payload, increasing its chances of evading detection (The Hacker News, Cybersecurity Dive).

In addition to phishing, TGR-STA-1030 exploited a wide range of known (N-day) vulnerabilities in public-facing applications. The group did not use zero-day exploits but demonstrated proficiency in rapidly weaponizing and deploying exploits for recently disclosed vulnerabilities. Targeted products included SAP Solution Manager, Pivotal Spring Data Commons, Microsoft Open Management Infrastructure, Microsoft Exchange Server, D-Link devices, Struts2, Ruijieyi Networks, Eyou Email System, Beijing Grandview Century eHR Software, Weaver Ecology-OA, Commvault CommCell, and Zhiyuan OA. The group also attempted HTTP directory traversal and SQL injection attacks (Unit 42).

Tooling and Malware

TGR-STA-1030 leveraged a diverse set of command-and-control (C2) frameworks, web shells, and tunneling utilities to maintain persistence and facilitate lateral movement within compromised environments. The primary C2 frameworks observed were Cobalt Strike, VShell, Havoc, Sliver, and SparkRat. For persistent access, the group deployed web shells such as Behinder, Neo-reGeorg, and Godzilla. Network tunneling was achieved using GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX (Unit 42, The Hacker News).

A notable aspect of the campaign was the deployment of a unique Linux kernel rootkit named ShadowGuard (SHA-256: 7808B1E01EA790548B472026AC783C73A033BB90BBE548BF3006ABFBCB48C52D). ShadowGuard is an Extended Berkeley Packet Filter (eBPF) rootkit designed to conceal process information, intercept system calls, and hide directories and files named "swsecret." Its use of eBPF technology allows it to operate entirely within the Linux kernel, making detection by traditional security tools extremely difficult (Unit 42, The Hacker News, Cybersecurity Dive).

Data Exfiltration and Persistence

The group exfiltrated sensitive data from victim email servers and file shares, including financial negotiations, contracts, banking and account information, and critical military-related operational updates. In several cases, TGR-STA-1030 maintained access to compromised environments for months, indicating a focus on long-term intelligence collection and operational persistence (Unit 42, The Hacker News).

MITRE ATT&CK Mapping

The group’s tactics, techniques, and procedures (TTPs) align with the following MITRE ATT&CK techniques: T1566.001 and T1566.002 (Phishing), T1190 and T1203 (Exploit Public-Facing Application), T1105 (Ingress Tool Transfer), T1071.001 and T1219 (C2 Frameworks), T1505.003 (Web Shells), T1572 (Protocol Tunneling), T1014 and T1564.006 (Rootkit and Hide Artifacts), T1003 (Credential Access, inferred), T1041 (Data Exfiltration), and T1562 and T1027 (Defense Evasion).

Affected Versions & Timeline

TGR-STA-1030 targeted a broad range of software products and infrastructure components, exploiting known vulnerabilities in SAP Solution Manager, Pivotal Spring Data Commons, Microsoft Open Management Infrastructure, Microsoft Exchange Server, D-Link devices, Struts2, Ruijieyi Networks, Eyou Email System, Beijing Grandview Century eHR Software, Weaver Ecology-OA, Commvault CommCell, and Zhiyuan OA. The group’s exploitation activity focused on vulnerabilities disclosed prior to and during 2024–2025, with no evidence of zero-day exploitation (Unit 42, The Hacker News).

The campaign’s timeline is as follows: - January 2024: Earliest confirmed activity by TGR-STA-1030. - Throughout 2025: Ongoing breaches and data exfiltration across 37 countries. - November–December 2025: Surge in reconnaissance activity, with scanning against government infrastructure in 155 countries. - February 2026: Public disclosure by Unit 42 and corroboration by multiple independent sources.

Threat Activity

TGR-STA-1030 demonstrated a high level of operational security and adaptability. The group’s phishing campaigns were tailored to specific targets, often leveraging current events or negotiations (such as the Indonesian airline’s aircraft purchase) to increase the likelihood of success. Once initial access was achieved, the group rapidly deployed a combination of commodity and custom tools to establish persistence, move laterally, and exfiltrate data.

The group’s use of the ShadowGuard eBPF rootkit is particularly notable, as it represents a significant advancement in stealth and persistence for Linux-based environments. The rootkit’s ability to hide processes, files, and network activity from user-space monitoring tools complicates detection and remediation efforts.

Sector-specific impacts included the compromise of Brazil’s Ministry of Mines and Energy, Mexico’s ministries, a Bolivian mining entity, a Mongolian law enforcement agency, a major supplier in Taiwan’s power equipment industry, and several national-level telecommunications companies. The group also targeted national police and counter-terrorism organizations, as well as national parliaments and senior elected officials (Unit 42, Cybersecurity Dive).

The attackers’ motivation appears to be the collection of intelligence related to economic, trade, and military interests, with a particular emphasis on rare earth minerals, trade negotiations, and diplomatic activities.

Mitigation & Workarounds

Given the critical nature of the campaign and the advanced techniques employed, the following mitigation actions are prioritized by severity:

Critical: Organizations should immediately review and update patch management processes to ensure all known vulnerabilities in SAP Solution Manager, Pivotal Spring Data Commons, Microsoft Open Management Infrastructure, Microsoft Exchange Server, D-Link devices, Struts2, Ruijieyi Networks, Eyou Email System, Beijing Grandview Century eHR Software, Weaver Ecology-OA, Commvault CommCell, and Zhiyuan OA are remediated. All public-facing applications and infrastructure components must be patched to the latest supported versions. (Unit 42)

High: Implement advanced email filtering and phishing detection solutions to block malicious attachments and links. Conduct targeted security awareness training for staff, focusing on phishing and social engineering tactics observed in this campaign. Deploy endpoint detection and response (EDR) solutions capable of identifying and blocking the Diaoyu Loader and related malware. Monitor for the presence of known C2 frameworks (Cobalt Strike, VShell, Havoc, Sliver, SparkRat) and web shells (Behinder, Neo-reGeorg, Godzilla) on all systems. (The Hacker News)

Medium: Review Linux server environments for signs of the ShadowGuard eBPF rootkit. This includes monitoring for hidden processes, files named "swsecret," and anomalous kernel-level activity. Consider deploying kernel integrity monitoring tools and leveraging eBPF-aware security solutions. Audit all privileged accounts and credentials for signs of compromise, and enforce strong multi-factor authentication (MFA) across all remote access points.

Low: Establish or update incident response playbooks to include detection and remediation steps for advanced persistent threats (APTs) leveraging rootkits and commodity C2 frameworks. Engage in regular threat hunting activities focused on the TTPs described in this report.

References

https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/ https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html https://www.cybersecuritydive.com/news/asian-governments-espionage-campaign-breached-critical-infrastructure-in-3/811472/

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and supply chain partners. Our platform supports the identification of exposure to advanced persistent threats, facilitates rapid detection of supply chain vulnerabilities, and assists in the implementation of risk mitigation strategies aligned with current threat intelligence. For questions regarding this report or to discuss your organization’s risk exposure, contact us at ops@rescana.com.