A massive, state-aligned cyber espionage campaign has infiltrated government networks across 37 countries, targeting ministries of finance, law enforcement and critical infrastructure, according to Unit 42 in a new report. The operations of TGR-STA-1030 (also known as UNC6619) have compromised at least 70 organisations worldwide over the past year, with activity timed to geopolitical events and regional economic interests in Africa, Europe and the Americas.
The attackers’ entry point is sophisticated phishing, and the malware, dubbed Diaoyu Loader, employs evasion tactics to frustrate automated analysis. Once inside, the group deployed a never-before-seen Linux rootkit named ShadowGuard that operates at the kernel level using eBPF technology, concealing specified PIDs from standard user-space tools.
The report notes that one of the attackers uses the handle “JackMa,” potentially referring to a prominent Alibaba co‑founder, and that the campaign remains an active threat to government and critical infrastructure worldwide.