The Shadow Campaigns: Uncovering Global Espionage
Summary:
TGR-STA-1030 (aka UNC6619) is a highly active, state-aligned cyber-espionage group assessed with high confidence to operate out of Asia. The group has been active since at least January 2024 and has conducted large-scale, targeted operations against government and critical infrastructure organizations worldwide. Over the past year, the group compromised at least 70 organizations across 37 countries and conducted focused reconnaissance against government infrastructure in 155 countries.
The group’s targeting is centered on national-level government entities, including ministries and departments responsible for foreign affairs, finance, trade, economy, natural resources, immigration, justice, energy, and interior functions, as well as national law enforcement, border control, counter-terrorism organizations, parliaments, senior government officials, and national telecommunications providers. Based on regional victimology and past campaigns, the group’s primary motive is strategic intelligence collection in support of state economic and geopolitical objectives, with a clear emphasis on countries that have established, or are exploring, certain economic partnerships relevant to the group’s sponsoring region.
Security Officer Comments:
TGR-STA-1030 uses a mix of phishing and the exploitation of known vulnerabilities in internet-facing government systems to gain initial access to organizational networks. Phishing lures commonly impersonate official government communications, such as ministry or departmental reorganization notices, and deliver region and language-specific archives hosted on legitimate cloud services. These archives deploy a custom loader referred to as Diaoyu, which uses environmental checks and file-based dependencies to evade sandbox analysis before staging the deployment of follow-up payloads.
While TGR-STA-1030 has not been observed developing or testing any zero-day exploits, the group has commonly leveraged exploitation kits and proof-of-concept code for N-day vulnerabilities across enterprise and government software stacks, including Microsoft Exchange, SAP, Atlassian Crowd, OA and HR platforms, network appliances, and multiple web application frameworks.
TGR-STA-1030 employs a set of tools for post-compromise activity:
Suggested Corrections:
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
TGR-STA-1030 (aka UNC6619) is a highly active, state-aligned cyber-espionage group assessed with high confidence to operate out of Asia. The group has been active since at least January 2024 and has conducted large-scale, targeted operations against government and critical infrastructure organizations worldwide. Over the past year, the group compromised at least 70 organizations across 37 countries and conducted focused reconnaissance against government infrastructure in 155 countries.
The group’s targeting is centered on national-level government entities, including ministries and departments responsible for foreign affairs, finance, trade, economy, natural resources, immigration, justice, energy, and interior functions, as well as national law enforcement, border control, counter-terrorism organizations, parliaments, senior government officials, and national telecommunications providers. Based on regional victimology and past campaigns, the group’s primary motive is strategic intelligence collection in support of state economic and geopolitical objectives, with a clear emphasis on countries that have established, or are exploring, certain economic partnerships relevant to the group’s sponsoring region.
Security Officer Comments:
TGR-STA-1030 uses a mix of phishing and the exploitation of known vulnerabilities in internet-facing government systems to gain initial access to organizational networks. Phishing lures commonly impersonate official government communications, such as ministry or departmental reorganization notices, and deliver region and language-specific archives hosted on legitimate cloud services. These archives deploy a custom loader referred to as Diaoyu, which uses environmental checks and file-based dependencies to evade sandbox analysis before staging the deployment of follow-up payloads.
While TGR-STA-1030 has not been observed developing or testing any zero-day exploits, the group has commonly leveraged exploitation kits and proof-of-concept code for N-day vulnerabilities across enterprise and government software stacks, including Microsoft Exchange, SAP, Atlassian Crowd, OA and HR platforms, network appliances, and multiple web application frameworks.
TGR-STA-1030 employs a set of tools for post-compromise activity:
- Cobalt Strike: post-exploitation framework used for command-and-control, beaconing and interactive access. Cobalt Strike was commonly employed TGR-STA-1030 from 2024 to 2025. However, over time, the group has now transitioned to VShell as its tool of choice.
- VShell: Go-based C2 framework increasingly favored by the group for persistent remote access and operational control.
- Sliver, Havoc and SparkRat: additional post-exploitation frameworks used to support lateral movement, remote execution and fallback access.
- Behinder, Godzilla and Neo-reGeorg web shells: deployed on compromised web servers to maintain persistent access and enable internal pivoting.
- GOST, FRPS and IOX tunneling tools: used to tunnel traffic between compromised environments and external infrastructure, supporting covert lateral movement and data access.
- ShadowGuard (custom eBPF Linux rootkit): used to hide processes and files directly at the kernel level and evade host-based detection on Linux systems.
Suggested Corrections:
- Enforce email security controls and user awareness focused on common social-engineering techniques and proactively block or closely inspect archive files and executable content delivered through cloud file-sharing services (e.g., MEGA).
- Implement continuous scanning and rapid patching for known-exploited vulnerabilities in externally exposed services.
- Proactively hunt for and remove web shells (Behinder, Godzilla and Neo-reGeorg) on internet-facing and internal web servers using file-integrity monitoring and known signature and behavior-based detections.
- Monitor for and alert on the presence and execution of tunneling and proxy utilities such as GOST, FRPS and IOX, and restrict their use through application allow-listing where possible.
- Baseline and alert on unusual outbound connections from servers to VPS providers and proxy infrastructure, especially high-numbered ephemeral ports and unexpected SSH or RDP sessions consistent with the group’s relay-based C2 architecture.
- Deploy network and endpoint detections for C2 frameworks used by the actor (Cobalt Strike, VShell, Sliver, Havoc and SparkRat), including TLS fingerprinting, HTTP profile detection, anomaly-based beaconing analytics.
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/