Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

ShadowGuard

ShadowGuard is a custom Linux kernel rootkit used in the “Shadow Campaigns” cyber-espionage activity attributed by Palo Alto Networks Unit 42 to the Asia-based, state-aligned cluster tracked as TGR-STA-1030 (aka UNC6619). Unit 42 describes ShadowGuard as an Extended Berkeley Packet Filter (eBPF) rootkit/backdoor that operates in kernel space to provide stealth and evasion.

Capabilities and behavior (as described in the content):

  • Kernel-level eBPF rootkit for Linux systems.
  • Conceals process information by intercepting system calls, including hiding processes from standard tools (e.g., ps); reported ability to hide up to 32 PIDs.
  • Hides artifacts by concealing directories and files named “swsecret.”
  • Includes a mechanism allowing operators to define processes that should remain visible.
  • Checks for root privileges and for eBPF/tracepoint support before operating.

Operational context:

  • Reported as previously undocumented and assessed by Unit 42 to be unique to TGR-STA-1030/UNC6619.
  • Used to hide malicious activity at the kernel level and evade detection by security tools during long-running espionage intrusions.

Associated indicator (from the content):

  • ShadowGuard SHA-256: 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d.
Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TGR-STA-1030

Another tool of note is a Linux kernel rootkit codenamed ShadowGuard that utilizes the Extended Berkeley Packet Filter (eBPF) technology to conceal process information... and conceal directories and files named "swsecret."

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

"...exploited known vulnerabilities in Microsoft Exchange, SAP, and Atlassian products."

T1566PhishingEvidence1
TacticInitial Access

"The attackers utilized phishing emails..."

Stealth

5 techniques
T1014RootkitEvidence5
TacticStealth

"a Linux kernel rootkit codenamed ShadowGuard that utilizes the Extended Berkeley Packet Filter (eBPF) technology to conceal process information... intercept critical system calls... and conceal directories and files named 'swsecret.'"

T1564Hide ArtifactsEvidence1
TacticStealth

"...hide malicious activity at the kernel level and evade detection by security tools."

T1564.001Hidden Files and DirectoriesEvidence1
TacticStealth

"It can also hide from manual inspection files and directories named swsecret."

T1564.002Hidden UsersEvidence1
TacticStealth

"ShadowGuard conceals malicious process information at the kernel level, hides up to 32 PIDs from standard Linux monitoring tools using syscall interception."

T1564.006Run Virtual InstanceEvidence1
TacticStealth

“hide directories and files named ‘swsecret.’”

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1
TacticExfiltration

"Sensitive data... was exfiltrated from victim email servers."

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
security online infoNews
Feb 9, 2026
CVE-2026-1731: Critical BeyondTrust Flaw (CVSS 9.9) Allows Pre-Auth RCE

Linux rootkit referenced as being used for espionage by 'TGR-STA-1030' (with 'JackMa' also mentioned in the same title).

Read more
rescana blogNews
Feb 8, 2026
TGR-STA-1030 Cyberespionage: ShadowGuard Linux Rootkit Targets SAP Solution Manager, Microsoft Exchange, and 70 Global Critical Infrastructure Entities

Linux kernel-level eBPF rootkit used for stealth and persistence by hiding processes/artifacts, intercepting syscalls, and concealing specific directories/files (e.g., named “swsecret”), making user-space detection difficult.

Read more
bleeping computerNews
Feb 7, 2026
State actor targets 155 countries in 'Shadow Campaigns' espionage op

Custom Linux kernel eBPF rootkit/backdoor that operates in kernel space to evade detection, hides up to 32 PIDs via syscall interception, and can hide files/directories named "swsecret" while allowing the operator to define processes that remain visible.

Read more
scworldNews
Feb 6, 2026
State-aligned global espionage campaign hits 70 organizations | SC Media

A newly developed Linux kernel-mode rootkit used for stealthy operations and long-term persistence/hidden access during an espionage campaign.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.