Diaoyu
Diaoyu (original filename observed: "DiaoYu.exe") is a custom malware loader used in Palo Alto Networks Unit 42’s reported global espionage activity dubbed “Shadow Campaigns,” attributed with high confidence to an Asia-based state-sponsored actor tracked as TGR-STA-1030/UNC6619 (CISA is also tracking TGR-STA-1030). Diaoyu has been delivered via tailored phishing: emails to government officials linked to malicious archives hosted on mega[.]nz (including a zero-byte PNG named pic1.png) that contained the loader. Unit 42 also reported the broader campaign used exploitation of at least 15 known vulnerabilities (including in SAP Solution Manager, Microsoft Exchange Server, D-Link, Microsoft Windows, and Atlassian products) for initial access.
Behavior/capabilities described by Unit 42 include multiple evasion checks: requiring a horizontal screen resolution of at least 1440; checking for the presence of pic1.png as a file-based integrity check; and checking for running processes associated with Kaspersky, Avira, Bitdefender, SentinelOne, and Symantec/Norton. Under certain conditions, Diaoyu can fetch and deploy Cobalt Strike payloads and the VShell framework for command-and-control (C2).
The associated operations primarily targeted government and critical infrastructure organizations globally (Unit 42 confirmed at least 70 compromises across 37 countries, with additional reconnaissance targeting government entities connected to 155 countries), including ministries and agencies spanning law enforcement/border control, finance/trade, energy/mining, immigration, and diplomatic functions. No specific Diaoyu network indicators (e.g., hashes, C2 IPs/domains) were provided in the content beyond the mega[.]nz hosting and the referenced decoy/marker file name pic1.png.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The compressed files contained a malware loader called Diaoyu..." / "the Diaoyu loader would fetch Cobalt Strike payloads and the VShell framework for command-and-control (C2) under certain conditions..."
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware loader delivered via tailored phishing archives (hosted on Mega.nz) that performs environment checks (e.g., screen resolution >= 1440 and presence of a zero-byte pic1.png file) and security-product process checks before proceeding; when conditions are met it fetches additional payloads including Cobalt Strike and VShell for C2.
A custom malware loader used to stage/fetch additional payloads, featuring sandbox evasion techniques.
A malware loader delivered via phishing lures (hosted on mega[.]nz) that performs limited AV product checks (Kaspersky, Avira, Bitdefender, SentinelOne, Symantec), likely to minimize code footprint and evade detection before loading additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.