ShadowGuard rootkit and Diaoyu loader on Linux
Malware Activity
Summary
Hide ▲
Show ▼
Researchers identified the ShadowGuard Linux eBPF rootkit and Diaoyu loader as part of the operation’s malware toolkit, adding a stealthy Linux payload-delivery layer that can hide processes and fetch Cobalt Strike or VShell. The tooling is built to evade inspection before loading follow-on payloads. ShadowGuard can conceal up to 32 PIDs and hide files and directories named swsecret. The finding shows a purpose-built malware stack rather than generic phishing infrastructure.
Related Happenings
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
World Leaks RustyRocket malware activity
Malware Activity
First: 12.02.2026 15:30
Last: 12.02.2026 15:30
Sources 1
About this happening:
The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...
World Leaks RustyRocket malware activity
Malware ActivityAbout this happening: The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...
Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Reynolds ransomware BYOVD defense-evasion activity
Malware ActivityAbout this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation
Campaign
First: 07.02.2026 17:09
Last: 07.02.2026 17:09
Sources 1
How related:
A state-sponsored threat group has compromised dozens of networks of government and critical infrastructure entities in 37 countries in global-scale operations dubbed 'Shadow Campaigns'.
About this happening:
The **TGR-STA-1030/UNC6619** operation **Shadow Campaigns** expanded a state-sponsored espionage effort that compromised **at least 70 organizations** across **37 countries**, inc...
TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation
CampaignHow related: A state-sponsored threat group has compromised dozens of networks of government and critical infrastructure entities in 37 countries in global-scale operations dubbed 'Shadow Campaigns'.
About this happening: The **TGR-STA-1030/UNC6619** operation **Shadow Campaigns** expanded a state-sponsored espionage effort that compromised **at least 70 organizations** across **37 countries**, inc...
TrustBastion Android RAT distributes malicious APKs through Hugging Face repositories
Malware Activity
First: 02.02.2026 12:30
Last: 02.02.2026 12:30
Sources 1
About this happening:
The **TrustBastion** Android RAT now uses **Hugging Face** repositories to distribute malicious APKs, making the operation harder to flag while broadening risk for **Android** use...
TrustBastion Android RAT distributes malicious APKs through Hugging Face repositories
Malware ActivityAbout this happening: The **TrustBastion** Android RAT now uses **Hugging Face** repositories to distribute malicious APKs, making the operation harder to flag while broadening risk for **Android** use...
Timeline
-
07.02.2026 17:09 1 articles · 3mo ago
Diaoyu loader and ShadowGuard rootkit analysis
Technical Analysis UpdateResearchers detailed a Linux malware toolkit used in Shadow Campaigns that pairs the Diaoyu loader with a custom eBPF rootkit called ShadowGuard. The loader arrives through malicious archives hosted on Mega.nz, checks for pic1.png and security-product processes such as Kaspersky, Avira, Bitdefender, Sentinel One, and Norton (Symantec), and can fetch Cobalt Strike payloads or the VShell framework when its analysis-evasion checks succeed. ShadowGuard hides malicious process information at the kernel level and conceals files and directories to help the operator maintain stealth on compromised Linux hosts.
Show sources
- State actor targets 155 countries in 'Shadow Campaigns' espionage op — www.bleepingcomputer.com — 07.02.2026 17:09