Comprehensive Threat Exposure Management Platform
TGR-STA-1030 (also tracked as UNC6619) represents a highly sophisticated state-aligned cyber-espionage threat actor that has been actively conducting global intelligence collection operations since at least January 2024. Assessed to operate primarily from Asia with activity patterns consistent with GMT+8 working hours, this advanced persistent threat group has successfully compromised more than 70 organizations across 37 countries over the past year. The group’s targeting focus encompasses government ministries, diplomatic institutions, law enforcement agencies, and critical infrastructure sectors, with victim selection aligning closely with strategic geopolitical, economic, and military intelligence collection priorities characteristic of state-sponsored operations.
Between November and December 2025, TGR-STA-1030 conducted extensive reconnaissance operations against government infrastructure associated with 155 countries worldwide. Unlike indiscriminate mass scanning typically associated with cybercriminal or opportunistic threat actors, this reconnaissance demonstrated selective profiling of specific government entities, suggesting intelligence requirements driven by strategic national security objectives. The breadth and depth of this global targeting indicates sustained, well-resourced operations consistent with advanced persistent threat groups operating in support of nation-state intelligence collection requirements.
The attack methodology combines spear-phishing social engineering with exploitation of publicly disclosed vulnerabilities (N-day exploitation) affecting enterprise software platforms. Phishing campaigns utilize government-themed lures including fabricated ministry reorganization notices, policy announcements, and official communications designed to appear legitimate to government employees. These malicious emails deliver links to archives hosted on mega.nz cloud storage containing the custom Diaoyu loader malware, which incorporates multiple sandbox evasion techniques. Simultaneously, TGR-STA-1030 exploits known vulnerabilities including CVE-2019-11580 affecting Atlassian Crowd, Microsoft Exchange Server remote code execution flaws, SAP Solution Manager privilege escalation vulnerabilities, and others, demonstrating rapid adoption of proof-of-concept exploit code following public disclosure.
Following successful compromise, the threat actor deploys a sophisticated, layered toolset designed for long-term persistent access and comprehensive intelligence collection. The group has evolved from using commercial penetration testing frameworks like Cobalt Strike to deploying VShell (a Go-based command-and-control framework), alongside Havoc, SparkRat, and Sliver post-exploitation frameworks. Web shells including Behinder, Godzilla, and Neo-reGeorg are deployed on both external-facing and internal servers to maintain alternative access paths. Traffic tunneling is accomplished through GOST, FRPS, and IOX tools, creating multi-tiered command-and-control infrastructure utilizing VPS relays, residential proxy networks, and Tor nodes to obfuscate attacker origins. Notably, victim-facing command-and-control servers are frequently hosted in rule-of-law jurisdictions to blend malicious traffic with legitimate communications and complicate law enforcement responses.
A particularly sophisticated capability deployed by TGR-STA-1030 is ShadowGuard, a previously undocumented eBPF (extended Berkeley Packet Filter) based Linux kernel rootkit. This advanced rootkit operates at the kernel level to hide malicious processes from system monitoring tools, conceal files and directories from forensic analysis, intercept system calls to manipulate operating system behavior, and maintain persistent, stealthy access to compromised Linux systems. The deployment of custom kernel-level rootkit technology demonstrates advanced malware development capabilities and significant investment in maintaining undetected long-term access to high-value intelligence targets.
The campaign demonstrates strategic targeting of government foreign affairs ministries, finance and treasury departments, justice and interior ministries, trade and economy agencies, energy and natural resources departments, immigration and border control, law enforcement and counter-terrorism units, defense and military organizations, telecommunications regulators, aviation authorities, financial services oversight bodies, technology sector companies with government contracts, public sector IT infrastructure providers, parliamentary institutions, and diplomatic services worldwide.
TGR-STA-1030’s toolset includes custom malware (Diaoyu loader, ShadowGuard eBPF rootkit), open-source C2 frameworks (VShell, Havoc, SparkRat, Sliver), web shells (Behinder, Godzilla, Neo-reGeorg with Tas9er obfuscation), and tunneling tools (GOST, FRPS, IOX) creating resilient multi-tier infrastructure designed to survive defensive responses and maintain long-term access.
Initial Access: T1566.002, T1190 | Execution: T1204.002 | Defense Evasion: T1497.001, T1014, T1564.001, T1564.003 | Persistence: T1505.003 | Command & Control: T1105, T1071.001, T1572, T1090.002 | Resource Development: T1583.001, T1583.003
SHA256 Hashes: 11 malware samples documented Domains: abwxjp5.me, brackusi0n.live, dog3rj.tech, emezonhe.me, gouvn.me, msonline.help, pickupweb.me, pr0fu5a.me, q74vn.live, servgate.me, zamstats.me, zrheblirsy.me IPs: 12 command-and-control IP addresses across multiple hosting providers URLs: GitHub repositories hosting malicious payloads
Get through updates and upcoming events, and more directly in your inbox