JackMa and ShadowGuard Linux Rootkit Campaign Spies on 37 Nations

A sweeping cyber-espionage operation attributed to a state-aligned threat group tracked as TGR-STA-1030 has quietly penetrated government and critical infrastructure networks across at least 37 countries. The campaign, uncovered by security researchers and linked to an Asia-based operator, combines sophisticated social engineering with rare Linux kernel-level malware to maintain long-term, covert access.

The operation has compromised a minimum of 70 organizations, many of them high-value targets such as finance ministries, election oversight bodies, law enforcement agencies, and operators of national infrastructure.

A Coordinated Global Espionage Effort

Researchers associate the activity with Unit 42’s tracking of UNC6619, identifying it as a highly disciplined espionage group with clear geopolitical objectives. Intrusions were not random. Attack timing frequently aligned with elections, diplomatic negotiations, and moments of regional tension, suggesting intelligence collection rather than financial gain.

Victim organizations were spread across multiple continents, indicating a campaign designed for strategic reach rather than regional disruption.

Initial Access Through Targeted Phishing

Initial compromise typically began with carefully crafted phishing emails sent to government employees and contractors. These messages delivered malicious compressed archives hosted on legitimate cloud platforms, including mega.nz, helping the attackers bypass basic reputation-based filtering.

Once opened, the archives executed a loader designed to appear benign while quietly preparing the system for deeper compromise.

Diaoyu Loader and Sandbox Evasion

The first-stage malware, referred to as Diaoyu Loader, demonstrated advanced sandbox evasion. It deliberately referenced a missing auxiliary file, causing execution to fail in automated analysis environments while continuing normally on real victim systems.

This tactic significantly reduced early detection and allowed the attackers to reserve their more advanced tools for confirmed, high-value targets.

ShadowGuard eBPF Linux Rootkit

The most concerning element of the campaign is ShadowGuard, a kernel-level Linux rootkit built using extended Berkeley Packet Filter technology. Unlike traditional kernel rootkits, ShadowGuard leverages legitimate eBPF capabilities to hide malicious activity without modifying kernel code directly.

The rootkit conceals processes, files, and network connections, effectively blinding administrators and security tools. By operating at this level, attackers gain near-total visibility into system activity while remaining almost invisible themselves.

Long-Term Persistence and Intelligence Collection

Once deployed, ShadowGuard enables persistent access for months or longer. Researchers observed compromised systems maintaining active command channels while showing no obvious signs of infection to routine monitoring tools.

Data collected during the intrusions included internal documents, authentication material, and network topology information. In government environments, such intelligence can provide insight into policy planning, election logistics, and inter-agency communications.

Operational Clues Point to Asia-Based Operator

While attribution remains cautious, several indicators suggest an Asia-based threat actor. These include language artifacts in tooling, region-specific development environments, and operational patterns consistent with previously documented campaigns.

The use of the alias JackMa in tooling and infrastructure references has also drawn attention, though researchers stress this should not be confused with any legitimate individual or company.

Why Linux Remains a High-Value Target

The campaign highlights the growing focus on Linux systems, particularly those running government services, databases, and infrastructure management platforms. Linux environments are often assumed to be more secure, leading to weaker monitoring and slower incident response.

Attackers increasingly exploit this confidence gap, investing in specialized malware that defenders are less prepared to detect.

Defensive Challenges Ahead

Detecting kernel-level eBPF abuse remains difficult, even for mature security teams. Traditional endpoint tools may fail to see hidden processes or manipulated telemetry, allowing attackers to persist undetected.

Security teams are being urged to strengthen behavioral monitoring, validate kernel integrity, and closely inspect outbound traffic patterns, especially from systems that appear otherwise healthy.

A Quiet but Strategic Threat

The JackMa and ShadowGuard campaign represents a shift toward quieter, more durable cyber-espionage operations. Rather than causing disruption, the attackers focused on remaining invisible while harvesting intelligence across dozens of nations.

For governments and critical infrastructure operators, the incident is a reminder that some of the most damaging cyber threats are the ones that leave no immediate trace at all.