Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Diaoyu Loader

Diaoyu Loader is a custom malware loader used in phishing-led intrusion chains attributed by Palo Alto Networks Unit 42 to the cyber-espionage cluster TGR-STA-1030, also referred to as UNC6619. It was delivered in ZIP archives hosted on MEGA and sent via phishing emails, alongside a zero-byte file named pic1.png that functions as part of its execution guardrail. Unit 42 reported the executable metadata showed an original name of DiaoYu.exe.

The loader uses dual-stage anti-analysis and environmental checks before proceeding. Reported guardrails include requiring a horizontal screen resolution of at least 1440 and verifying that pic1.png is present in the execution directory; if the file is absent, execution terminates. It also checks for specific security products by process name, including Avira (SentryEye.exe), Bitdefender (EPSecurityService.exe), Kaspersky (Avp.exe), SentinelOne (SentinelUI.exe), and Symantec/Norton (NortonSecurity.exe).

After passing these checks, Diaoyu Loader downloads additional files from a GitHub repository associated with padeqav/WordPress, including image files such as admin-bar-sprite.png, Linux.jpg, and Windows.jpg. These downloaded images were reported to act as conduits for deployment of a Cobalt Strike payload, and the loader’s end result was installation of Cobalt Strike. The associated GitHub account was no longer available at the time of reporting.

Diaoyu Loader was observed in a broader espionage campaign active from at least January 2024 and publicly reported in February 2026. Unit 42 stated TGR-STA-1030 compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance against government infrastructure associated with 155 countries. Targeting focused primarily on government ministries and departments, including law enforcement, border control, finance, economic, trade, natural resources, diplomatic, and other critical infrastructure entities. In some cases, the actor maintained access for months and exfiltrated sensitive data from victim email servers and file shares, including financial negotiations, contracts, banking information, and military-related operational updates.

High-confidence indicators and artifacts directly associated with Diaoyu Loader in the reporting include the filenames pic1.png, admin-bar-sprite.png, Linux.jpg, Windows.jpg, the original executable name DiaoYu.exe, and GitHub/raw.githubusercontent[.]com infrastructure tied to padeqav/WordPress.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TGR-STA-1030

“...These emails delivered a ZIP archive containing the Diaoyu Loader... The Diaoyu Loader is a custom malware that downloads additional payloads from a GitHub repository... deploying a Cobalt Strike payload.”

via rescana blogrescana.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence1

"Attack chains have been found to leverage phishing emails as a starting point to trick recipients into clicking on a link pointing to New Zealand-based file hosting service MEGA. The link hosts a ZIP archive..."

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

“including images that serve as conduits for deploying a Cobalt Strike payload… (Defense Evasion)… T1027”

T1497Virtualization/Sandbox EvasionEvidence1

"The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis... hardware requirement... and ... dependency check for a specific file (pic1.png)"

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence1

"The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis... hardware requirement... and ... dependency check for a specific file (pic1.png)"

T1518.001Security Software DiscoveryEvidence1

"the malware checks for the presence of specific cybersecurity programs from Avira... Bitdefender... Kaspersky... Sentinel One... and Symantec"

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

"The end goal of the loader is to download three images ... from a GitHub repository ... which serve as a conduit for the deployment of a Cobalt Strike payload."

Other

1 technique
T1562Impair DefensesEvidence1

“The loader also scans for the presence of antivirus products before executing its payload… (Defense Evasion)… T1562”

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
rescana blogNews
Feb 8, 2026
TGR-STA-1030 Cyberespionage: ShadowGuard Linux Rootkit Targets SAP Solution Manager, Microsoft Exchange, and 70 Global Critical Infrastructure Entities

Custom loader delivered via phishing that retrieves additional payloads (including content used to stage/deploy Cobalt Strike) and performs AV product checks prior to execution to improve evasion.

Read more
the hacker newsNews
Feb 6, 2026
Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

A multi-stage loader delivered via phishing that uses environment/sandbox guardrails (screen resolution check and presence of a specific file) and then retrieves additional content used to deploy a follow-on Cobalt Strike payload.

Read more
palo alto networks unit 42 blogNews
Feb 5, 2026
The Shadow Campaigns: Uncovering Global Espionage

Phishing-delivered loader that uses anti-sandbox guardrails (screen resolution check and presence of a decoy/auxiliary file pic1.png), performs limited AV process checks, downloads additional components from GitHub, and culminates in installing a Cobalt Strike payload.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.