Asian State-Backed Espionage Targeting Global Government Infrastructure
Date: February 10, 2026
Threat Level: Critical (State-Sponsored)
Classification: Advanced Persistent Threat (APT) / Cyber Espionage
Aliases: UNC6619, “Shadow Campaigns”
A massive, previously undocumented cyber espionage campaign has been uncovered, operated by an Asian state-backed group tracked as TGR-STA-1030. Unit 42 (Palo Alto Networks) has linked this group to breaches in at least 70 organizations across 37 countries, with a distinct focus on government ministries and critical infrastructure.+1
The group is characterized by its strategic patience, use of custom loaders like “Diaoyu,” and a massive reconnaissance effort that scanned 155 countries leading up to February 2026.
1. Executive Summary & Key Findings
- Massive Scale: In late 2025 (Nov–Dec), the group conducted active reconnaissance against government infrastructure in 155 countries—roughly 80% of the world’s nations.
- Strategic Motivation: The targeting aligns closely with economic and geopolitical interests, specifically focusing on countries with rare earth mineral resources, international trade deals, and diplomatic tensions in the South China Sea.
- The “Diaoyu” Marker: Analysis of the malware metadata revealed the original filename
Diaoyu.exe. “Diaoyu” (钓鱼) is the Chinese term for “fishing” (or phishing), but also references the disputed Diaoyu/Senkaku Islands, hinting at the group’s geopolitical origins.+1 - Tech Stack: They utilize a mix of custom malware (Diaoyu Loader, ShadowGuard rootkit) and open-source command-and-control (C2) frameworks like VShell and Cobalt Strike.
2. Victimology & Targeting
TGR-STA-1030 is not a financial crime group; their objective is purely intelligence gathering.
Key Sectors Targeted
- Government Ministries: Finance, Foreign Affairs, Interior, and Trade.
- Law Enforcement: National police forces and border control agencies.
- Critical Infrastructure: National telecommunications providers and energy grids.
Geographic Focus
While global, the targeting is highly specific to current geopolitical events:
- Southeast Asia: Heavy targeting of Thailand, Indonesia, and Vietnam (South China Sea claimants).
- Latin America: Breaches confirmed in Brazil (Ministry of Mines & Energy) and Bolivia (Mining sector), likely stealing intelligence on rare earth mineral exports.
- Europe: Reconnaissance against the Czech Republic (Military/Parliament) and Greece (Syzefxis Project).
- Taiwan: Compromise of a major power equipment supplier.
3. Operational TTPs
Phase 1: Initial Access (The MEGA Phish)
- Vector: Highly targeted spear-phishing emails posing as “Ministry Reorganization” or “Official Announcements.”
- Delivery: Emails contain links to the legitimate file-hosting service MEGA (mega.nz).
- Payload: Victims download a ZIP archive containing a legitimate-looking image (
pic1.png) and the malicious executable (Diaoyu Loader).
Phase 2: Evasion & Execution
The Diaoyu Loader employs sophisticated anti-sandbox checks before executing:
- Resolution Check: It will only run if the screen resolution is greater than 1440 pixels wide (filtering out standard automated malware sandboxes).
- File Dependency: It checks for the presence of
pic1.pngin the same directory; if missing, it terminates.
Phase 3: Persistence & Lateral Movement
- Malware Arsenal: Once inside, they deploy:
- Cobalt Strike: For standard beaconing.
- VShell: A Go-based C2 framework (increasingly preferred by this group).
- ShadowGuard: A stealthy Linux rootkit that uses eBPF (Extended Berkeley Packet Filter) to hide processes deep within the OS kernel.
- Web Shells: Extensive use of Behinder, Godzilla, and Neo-reGeorg on compromised IIS and NGINX servers to maintain access even if the main malware is detected.
4. Technical Intelligence & IoCs
Security teams should hunt for the following indicators immediately.
Indicators of Compromise (IoCs)
| Type | Value/Pattern | Context |
| Filename | Diaoyu.exe | Original internal filename of the loader |
| Filename | pic1.png | Decoy file required for execution |
| C2 Protocol | VShell / Go-based C2 | Traffic on ephemeral high TCP ports |
| Rootkit | ShadowGuard | Linux eBPF-based persistence |
| Hosting | mega.nz | Source of initial payload downloads |
| Web Shells | Behinder, Godzilla | Found on public-facing web servers |
Behavioral Hunting
- Screen Resolution Checks: Monitor for processes querying
GetSystemMetrics(SM_CXSCREEN)followed by immediate termination if the value is low. - eBPF Anomalies: On Linux systems, use tools like
bpftoolto list loaded programs. Look for unauthorized programs hooking into network or process events.
5. Strategic Recommendations
- Block Personal File Sharing: Restrict access to MEGA (mega.nz) and similar personal file-hosting sites on corporate/government networks, as this is the primary delivery vector.
- Linux Kernel Hardening: Ensure Secure Boot is enabled and restrict
eBPFusage to privileged users only (sysctl kernel.unprivileged_bpf_disabled=1) to prevent ShadowGuard infections. - Web Shell Hunting: Routinely scan public-facing web servers (IIS/Apache) for unmanaged scripts (ASPX/JSP/PHP). Tools like Neo-reGeorg leave distinct traffic patterns during tunneling—look for HTTP requests with high entropy in the body.
Monitor This Threat
TGR-STA-1030 is actively adapting. Their shift to Linux rootkits (ShadowGuard) indicates a move toward deep persistence in cloud and server environments. Organizations in trade, energy, and government sectors should consider themselves active targets.