【CyCraft Monthly Intelligence】Kernel Shadows: High-Stealth Linux Threats Targeting Global Governments

‍

Threat and Impact

The "Shadow Campaigns" represent a large-scale cyber espionage launched by the threat actor TGR-STA-1030 (also known as UNC6619). Assessed with high confidence as a state-sponsored group, its operational base is located in Asia. Investigations by Unit 42 reveal that TGR-STA-1030 has been active since at least January 2024. Entering 2025, the group’s attack volume has significantly increased alongside maturing technical capabilities and an expanding geographic reach.

‍

Analyst Perspective

Across various regions, a common thread in these operations is that the targets and timing are closely synchronized with real-world geopolitical and economic events, such as elections, diplomatic summits, trade negotiations, and energy disputes. This further confirms that the campaign aims to support national interests, making the "Shadow Campaigns" particularly alarming for public sectors and critical infrastructure organizations: it is a professional, long-term, and strategically-targeted threat rather than a series of random cybercrimes.

Incident Description

Over the past year, TGR-STA-1030 has evolved from isolated incidents into a persistent threat to governments and critical infrastructure worldwide. The campaign utilizes a combination of the following methods:

• Spear Phishing of Government Personnel (early 2025): Utilize highly persuasive decoys regarding "ministry/department reorganization" to deliver malware via links to archives hosted on legitimate platforms.
• Opportunistic Exploitation of Known Vulnerabilities: Target widely deployed known vulnerabilities in enterprises and government technologies (no zero-days have been observed to date), allowing attackers to gain initial access at scale.
• Long-Term Persistence: Dwell times often span several months. The attackers maintain control using common post-exploitation toolkits (C2 frameworks, web shells, and tunneling techniques). In at least one instance, the group utilizes a Linux kernel-level eBPF Rootkit to achieve an extremely high degree of stealth.

The scope of this campaign is particularly staggering:

• 37 countries with at least 70 compromised organizations.
• In just two months (November to December 2025), active reconnaissance is conducted against government infrastructure in 155 countries, indicating systematic intelligence gathering rather than random scanning.
• This extensive coverage means that a majority of global public sectors face confirmed intrusion activities or targeted probing within a single year. Unpatched vulnerabilities and exposed services serve as primary entry points; once discovered, the risk of follow-on attacks and full compromise increases exponentially.

Impacted Industries and Institutions

While government entities are the primary focus, the scope of victims extends to sectors that support national operations and strategic economic priorities, including:

• Government ministries and agencies, particularly those related to:
  • internal affairs, foreign affairs, finance, and justice.
  • economy, trade, and immigration.
  • natural resources (mining and energy).
• National security and law enforcement, including police, border control, and counter-terrorism units.
• Critical infrastructure, including national telecommunications providers.
• Strategically relevant private organizations, such as:
  • airlines.
  • microfinance and financial service providers.
  • power equipment suppliers involved in energy infrastructure projects.

Impact Assessment

As espionage is the core of this campaign, the most severe impacts are not immediate financial losses but rather strategic and operational damage, including:

• National security exposure: Gaining access to law enforcement, border control, counter-terrorism, and parliamentary environments could lead to the exposure of sensitive operations, internal investigations, and decision-making processes.
• Loss of diplomatic and policy intelligence: Targeting diplomatic, immigration, and trade agencies allows attackers to monitor negotiation progress, diplomatic stances, sanctions or tariff planning, and international partnerships.
• Theft of economic and resource intelligence: A persistent focus on the mining, rare earth elements, and energy industries indicates an intent to steal contracts, investment plans, regulatory decisions, and supply chain strategies—information capable of shifting competitive advantages and geopolitical leverage.
• Risks to essential services and public trust: Even if the attackers’ primary goal is "only" intelligence gathering, the compromise of telecommunications and critical infrastructure poses secondary risks to service availability, lawful interception systems, and overall national resilience.
• Long-term persistence and re-infection risk: The ability of attackers to maintain access for months—and even regain entry after being disrupted—indicates that unless access paths and persistence mechanisms are thoroughly eradicated, victims face a cyclical threat of intrusion.

Technical Details

The Shadow Campaigns by TGR-STA-1030 utilize two primary intrusion vectors: spear-phishing and opportunistic exploitation of Internet-facing systems. Technically, the most significant differentiator is the use of ShadowGuard, a Linux eBPF kernel-level Rootkit that achieves stealth by manipulating information reported by the OS to User-space tools. Operationally, the threat actor invests heavily in multi-tier infrastructure—comprising victim-facing VPS units, relay points, and proxy layers—to complicate attribution and analysis.

Reconnaissance

• Targeted global scanning: Between November and December 2025, attackers conducted active reconnaissance against government infrastructure in 155 countries. This is characterized by precise targeting of government networks rather than indiscriminate IPv4 scanning.
• Event-driven probing: Scanning activity typically surges during geopolitical events. For example, a massive spike in scanning against Honduran government IP ranges occurred 30 days before their presidential election, and extensive probing of Venezuelan government IPs followed the capture of the Venezuelan president by U.S. forces.
• Service-level probing beyond HTTP/S: Reconnaissance included SSH (Port 22) connection attempts against systems such as the Ministries of Finance in Australia and Afghanistan, and the Nepal Prime Minister's Office, indicating a high interest in direct remote management interfaces rather than a mere Web application.

Resource Development

• C2 and target domains: The actor registered numerous domains (primarily .me, .live, .help, and .tech, such as gouvn[.]me and zamstats[.]me) to support C2 and victim-facing operations.
• Rule-of-law VPS infrastructure: Victim-facing C2 servers are frequently hosted via VPS providers in the U.S., UK, and Singapore to blend in with legitimate traffic and complicate legal enforcement.
• Multi-tier access chain: The infrastructure utilizes relay VPS nodes (often using Port 22 SSH or high-range ports, and occasionally RDP/3389). These are accessed via proxy services like DataImpulse residential proxies and, more recently, Tor.
• Operational footprints: A notable operational security error occurred when an X.509 certificate (CN: gouvn[.]me) appeared on a Tencent server within the actor's region before DNS pointed to that location, indicating background infrastructure staging.

Initial Access

• Spear-phishing via MEGA (early 2025):
  • Email bait: Government recipients receive emails themed around "ministry/department reorganization."
  • Payload delivery: Links directed users to MEGA download pages containing localized ZIP files named after target ministries or nations.
  • ZIP content: Contain a malicious executable matching the bait theme and a 0-byte file named pic1.png (a prerequisite for execution).
• Vulnerability exploitation:
  • The group exploits a wide range of known vulnerabilities in enterprise and government stacks (Exchange RCE, Struts2 OGNL RCE, SQLi, and OA platforms).
  • Use case: Exploitation of Atlassian Crowd (CVE-2019-11580) against e-passport/e-visa services to upload a payload named rce.jar for Remote Code Execution.

Execution

• Diaoyu Loader execution: Victims who execute the malicious executable from the phishing email (original filename: DiaoYu.exe) will trigger the loader's staged behavior.
  • The name "Diaoyu" is the Pinyin for “phishing/fishing,” which implies the potential geographic origin of the threat actor.
  • The compressed archive within the phishing email contains a 0-byte file named pic1.png alongside the malicious executable. Upon execution, the malware first verifies if the screen resolution is 1440p or higher and confirms the presence of the pic1.png file. This technique is designed to prevent the payload from executing malicious activities within analysis environments, as researchers might overlook the 0-byte pic1.png and only submit the executable for analysis.
• Vulnerability-triggered execution: Remote code execution is achieved via uploaded payloads (e.g., rce.jar).
• Post-exploitation tooling: Deployment of C2 frameworks (Cobalt Strike in early stages, migrating to VShell), Web Shells, and the ShadowGuard Rootkit in Linux environments.

Persistence

• Web shells: Frequent deployment of Behinder, Neo-reGeorg, and Godzilla on external and internal web servers as resilient re-entry points.
• Long-term C2 backdoors: VShell has become the preferred framework for persistence over Cobalt Strike.
• Tunneling for connectivity: Tools like GOST, FRPS, and IOX maintain reliable paths into isolated networks, ensuring access remains even if perimeter defenses change.
• Linux kernel-level stealth: ShadowGuard's kernel-space hiding functions prevent defenders from detecting or removing attacker processes/files, enabling long-term persistence.

Privilege Escalation

• Vulnerability-driven elevation: Attempts are observed to exploit a privilege escalation vulnerability in SAP Solution Manager, with no specific CVE or version.
• Root-level operations on Linux: As ShadowGuard requires root privileges to operate in the kernel, the actor either obtains root access beforehand or utilizes escalation exploits. Privilege escalation details have not yet been identified in the current references.

Defense Evasion

• Anti-sandbox/anti-analysis (Diaoyu Loader):
  • The loader employs dual execution checks to prevent triggering within automated environments:
    • Screen resolution check: Require a horizontal resolution of 1440 pixels or higher.
    • File integrity/environmental check: The file pic1.png must be present in the execution directory.
  • If the executable is run in isolation (a common scenario in sandboxes), it terminates normally without exhibiting any malicious behavior.
• Security product evasion: The loader checks for specific processes, including Avp.exe (Kaspersky), SentryEye.exe (Avira), EPSecurityService.exe (Bitdefender), SentinelUI.exe (SentinelOne), and NortonSecurity.exe (Symantec). According to related reports, the list is unexpectedly short, and the underlying cause has not been determined.
• Obfuscation and stealth tools
  • Godzilla Web shell obfuscation: Attackers occasionally employ Tas9er code obfuscation (e.g., modifying functions and strings) on the Godzilla Web shell to circumvent signature-based detection.
  • Kernel-level evasion (ShadowGuard): ShadowGuard is an eBPF Rootkit that operates within a BPF virtual machine (rather than as a traditional loadable kernel module). This allows it to tamper with data observed by user-space monitoring tools, effectively hiding malicious activities.

• Infrastructure evasion: The attacker conceals their origin through a multi-tiered flow: “Proxy → Relay Node → Victim-facing VPS.” Direct connections occasionally originating from AS9808 (detected when tunnels fail) expose their regional affiliation.

Collection

While the collection details mentioned in the report are relatively high-level, consistent themes include:

• Immigration and economic intelligence (e.g., Malaysian ministries).
• Trade and international policy intelligence (e.g., Mexican ministries, Thai government departments).
• International development/finance intelligence (e.g., European Finance Ministry and EU-related interests).
• Project documentation: Specifically files related to power generation projects from a Taiwanese power equipment supplier.

Command and Control (C2)

• C2 architecture evolution:
  • 2024 to early 2025: Frequent deployment of Cobalt Strike (including payloads delivered by the Diaoyu Loader).
  • Later transition: A shift in preference toward VShell, a Go-based tool typically exposed through sequential 5-digit ephemeral TCP ports.
  • Other observed frameworks: Havoc, SparkRat, and Sliver.

• Web shells as alternative C2: Behinder, Neo-reGeorg, and Godzilla are utilized to provide command execution channels via Web servers.
• Tunneled C2 traffic: GOST, FRPS, and IOX are employed to tunnel C2 and operator traffic across various infrastructure layers and within the victim's internal network.
• Domain-based C2: Attacker-controlled domains point to victim-facing VPS nodes to manage beacons and maintain remote access.

Mitigation

Effective defense against the Shadow Campaigns requires a multi-layered approach centered on reducing exposure, securing emails and web entry points, and enhancing Detection and Response (EDR/XDR) capabilities, especially on Internet-facing government services.

1. Immediate Damage Control and Scoping (If Compromise is Suspected)

Utilize published Indicators of Compromise (IoCs), including domains, IPs, and hashes, to conduct proactive hunting across the following environments:

• DNS/Proxy logs: Inspect for queries to blacklisted domains or file download activities from paths involving mega[.]nz and raw.githubusercontent[.]com.
• Firewall/netflow: Check for connections to suspicious VPS hosts and abnormal high-range ports.
• Endpoint telemetry: Cross-reference SHA-256 hashes for phishing loaders, Cobalt Strike, ShadowGuard, and Crowd exploitation samples.
• Isolation and forensics: Isolate affected systems, specifically public web and email servers, and preserve evidence for forensic investigation.
• Incident Response (IR) support: Seek specialized IR assistance (Unit 42 has already begun notifying and assisting affected entities).
• Most impacted services/settings: SOC logging and retention periods, DNS/Proxy visibility, and server-side telemetry coverage (beyond just user workstations).

2. Neutralize Phishing: Email and Web Controls

Early access in this campaign relies on luring recipients to download ZIP archives hosted on mega[.]nz containing executables (EXEs) with localized filenames.

• Preventive measures:
  • Filtering: Enhance URL and DNS filtering to block known malicious domains and suspicious file-hosting platform patterns used for payload delivery.
  • Attachment handling: Detonate and analyze archives and attachments in a sandbox environment; block or alert on ZIP files containing executables (a hallmark of this campaign).
• User-side controls:
  • Conduct specialized anti-phishing simulations for frequently impersonated departments (e.g., Border Control, Finance, Foreign Affairs).
  • Establish clear out-of-band verification procedures for messages regarding "Ministry Reorganization" or personnel changes.
• Most impacted services/settings: Secure Email Gateway (SEG) policies, Web Proxy rules (e.g., restricted access to mega[.]nz), DNS Security, and sandbox detonation configurations.

3. Patch and Harden External Applications (Highest Priority)

Because the actor explicitly exploits known vulnerabilities, patch management and attack surface reduction offer the highest ROI for defensive control.

• Preventive measures:
  • Prioritize updates for internet-facing systems, specifically products identified in the report (Microsoft Exchange, Atlassian Crowd, SAP Solution Manager, Struts2, Spring components, and various Network/IT appliances).
• Continuous external attack surface management (EASM):
  • Regularly scan public IP ranges to identify vulnerable software versions and exposure points.
  • Remove or update "forgotten" services such as legacy portals and management interfaces.
• Specific hardening:
  • Ensure CVE-2019-11580 (Atlassian Crowd) is patched and monitor upload paths for anomalies like rce.jar.
• Most impacted services/settings: Patching SLAs, Change Management, External Scanning, WAF/IPS virtual patching posture, and ownership of public-facing services (e.g., e-Visa/Passport portals).

4. Minimize Administrative Exposure and Enforce Strong Authentication

Attacker reconnaissance includes probing SSH (Port 22) and utilizing relays configured with SSH or RDP (3389).

• Preventive measures:
  • Remove SSH/RDP and management interfaces from the public internet. Access should be restricted via VPNs, Bastion Hosts, or dedicated management networks.
  • Mandatory Multi-Factor Authentication (MFA) for all remote management and privileged access.
  • Implement Internet segmentation to prevent lateral movement to sensitive internal networks if a front-end server (e.g., a web portal) is compromised.
• Most impacted services/settings: Firewall rules, Remote Access Architecture, Privileged Access Management (PAM), and DMZ-to-Internal isolation.

5. Detect and Disrupt Post-Intrusion Tooling (Web Shells, Tunnels, C2)

TGR-STA-1030 frequently utilizes Web Shells (Behinder, Neo-reGeorg, Godzilla), tunneling tools (GOST, FRPS, IOX), and C2 frameworks (Cobalt Strike, and later VShell).

• Preventive measures:
  • Monitor Web server and WAF: Alert on abnormal file writes to web roots, suspicious new endpoints, and the unique POST patterns characteristic of Web Shells.
• Egress Controls:
  • Strictly limit outbound connections from servers (especially in the DMZ) to only essential traffic.
  • Alert or block unexpected tunneling behavior and abnormal outbound destinations.
• Network Detection:
  • Monitor for new services listening on sequential 5-digit high ports (a signature of VShell).
  • Detect known C2 infrastructure and block malicious infrastructure.
• Most impacted services/settings: WAF rules, File Integrity Monitoring (FIM), Outbound Firewall Whitelists, IDS/IPS signatures, and NDR/Netflow analysis.

6. Harden Linux Against Kernel-Level Stealth (ShadowGuard eBPF Rootkit)

ShadowGuard is an eBPF-based Linux kernel Rootkit designed to hide processes and files (specifically those containing the string swsecret). It utilizes unconventional kill signals (-900/-901) as a Control and Command (C2) mechanism. Because eBPF Rootkits operate within the kernel space, traditional User-space monitoring tools may be rendered ineffective.

• Preventive measures:
  • Strictly limit and monitor entities capable of gaining Root privileges on Linux servers.
  • Implement monitoring for abnormal eBPF program activity and Tracepoint calls.
• Hunt for Tradecraft Indicators:
  • Inspect for the creation or use of files/directories named swsecret*.
  • Monitor centralized logs for the use of negative signal values (e.g., -900, -901) in kill commands, which are difficult to tamper with remotely if logged centrally.
• Most impacted services/settings: Linux Hardening Baselines, Privileged Access, Kernel/Audit Telemetry, and Centralized Logging Architecture.

7. Implement Intelligence Sharing and Layered Security

• Regularly integrate IoCs into SIEM/SOAR, DNS, Proxy, Firewall, and EDR blocklists.
• Utilize a multi-layered defense covering web, DNS, network vulnerability protection, and endpoint behavior to reduce dependency on any single control point, especially as attacker infrastructure rotates.
• Most impacted services/settings: Threat Intelligence Platforms (TIP), SIEM/SOAR automation, Blocklist Management, and Cross-Industry Collective Defense workflows.

‍

Reference

• 國家級駭客鎖定關鍵基礎設施從事大規模網路間諜活動 Shadow Campaigns，範圍涵蓋全球 155 個國家
• TGR-STA-1030: Global State-Aligned Cyber Espionage Campaign
• Shadow Campaigns compromised 70 organizations across 37 countries
• Unit 42 identifies TGR-STA-1030 cyber espionage grouptargeting critical infrastructure, government networks
• State actor targets 155 countries in ‘ShadowCampaigns’ espionage op