Ddos 
Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025 | Image: Unit 42
A massive, state-aligned cyber espionage campaign has quietly infiltrated government networks across 37 countries, targeting ministries of finance, law enforcement, and critical infrastructure. In a new report, Unit 42 exposes the operations of TGR-STA-1030 (also known as UNC6619), an Asia-based threat group that has compromised at least 70 organizations worldwide over the past year.
The groupβs activities are meticulously timed to coincide with real-world geopolitical events, from mining disputes in Africa to high-level diplomatic meetings in Europe.
While the group uses a temporary designator, its digital footprint points clearly to Asia. Researchers found multiple indicators, including regional tooling, language settings, and activity patterns aligning with the GMT+8 time zone.
One specific detail stands out: “We found that one of the attackers uses the handle ‘JackMa,’ which could refer to the billionaire businessman and philanthropist who co-founded Alibaba Group,” the report notes.
The group’s primary entry point is sophisticated phishing. In early 2025, they targeted European governments with emails claiming to be about a “ministry reorganization.” These messages contained links to malicious archives hosted on mega.nz.
The malware inside, dubbed Diaoyu Loader (referencing the Chinese term for “fishing”), employs clever evasion tactics. “If the malware sample is submitted to a sandbox in isolation, the absence of this auxiliary file [pic1.png] causes the process to terminate gracefully,” effectively hiding its true nature from automated analysis tools.
Once inside, TGR-STA-1030 digs in deep. The investigation uncovered a never-before-seen Linux rootkit named ShadowGuard. This advanced tool operates at the kernel level using eBPF technology, making it nearly invisible to standard security monitoring.
“It conceals specified process IDs (PIDs), making them invisible to standard user-space analysis tools like the standard Linux ps aux command,” the report explains.
The group’s targets read like a map of strategic economic interests.
- Americas: Reconnaissance of Honduran government infrastructure spiked on October 31, 2025βjust 30 days before an election where candidates discussed restoring ties with Taiwan.
- Europe: Scanning of the Czech President’s website surged shortly after it was announced he would co-patronize the Dalai Lama’s birthday gala.
- Africa: In the Democratic Republic of the Congo, a compromise in December 2025 appeared linked to a major mining spill by an Asian company that polluted local waterways.
“TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide,” the report concludes, warning that the group prioritizes nations exploring new economic partnerships.
Related Posts:
- TA397 Leverages Sophisticated Spearphishing Techniques to Deploy Malware in Defense Sector
- High Linux Kernel eBPF Vulnerability Disclosure
- Asyncshell: The Evolution of APT-K-47’s Cyber Arsenal
- CVE-2024-56614 & CVE-2024-56615: PoC Exploits Released for Severe eBPF Vulnerabilities in Linux Kernel
- PoC Exploit Released for Linux Kernel Privilege Escalation (CVE-2022-23222)
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
