TGR-STA-1030

TGR-STA-1030 is a state-aligned cyber espionage group tracked by Palo Alto Networks Unit 42; Unit 42 also refers to its activity as the Shadow Campaigns and notes the actor as TGR-STA-1030/UNC6619 pending definitive attribution. Unit 42 assesses with high confidence that the group operates out of Asia, and multiple cited reports describe it as China-affiliated or aligned with Chinese regional interests, though the reporting also states that no specific government was publicly named in the final Unit 42 report. The group has been active since at least January 2024 and remained active through at least February 2026, with recent activity reportedly focused on Central and South America. According to the provided reporting, TGR-STA-1030 compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance against government infrastructure associated with 155 countries. Victims included government ministries and departments, law enforcement and border control entities, ministries of finance, parliaments, diplomatic and trade-related bodies, telecommunications companies, and other critical infrastructure organizations. Reporting states the actor prioritizes strategic, economic, political, military, trade, diplomatic, and natural-resources intelligence collection. Observed initial access methods include targeted phishing and exploitation of known vulnerabilities in public-facing applications; the content explicitly mentions Microsoft Exchange, SAP/SAP Solution Manager, Atlassian products, Microsoft OMI, Struts2, D-Link, Ruijieyi Networks, Commvault, Eyou Email System, Beijing Grandview Century eHR Software, Weaver Ecology-OA, and Zhiyuan OA. Unit 42 reported no evidence of zero-day development or use. Phishing activity included MEGA-hosted ZIP archives containing the Diaoyu Loader and a zero-byte file named pic1.png. Diaoyu Loader used execution guardrails and anti-analysis checks, including screen-resolution requirements, dependency on pic1.png, and checks for security products such as Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec/Norton. The loader retrieved staged content from GitHub and deployed Cobalt Strike. The group’s tooling includes Cobalt Strike, VShell, Havoc, Sliver, and SparkRAT; web shells including Behinder, neo-reGeorg, and Godzilla; and tunneling tools including GOST, FRPS, and IOX. Unit 42 also identified a Linux eBPF rootkit named ShadowGuard, assessed as unique to this actor, which hides processes and files/directories including those named swsecret. Reporting states the actor maintained persistence in some victim environments for months and exfiltrated sensitive data from email servers and file shares, including financial negotiations, contracts, banking and account information, and military-related operational updates.