Global espionage operation employs eBPF rootkit targeting Linux systems

Threat summary

Recent analysis details a global espionage operation that has been active for at least two years, targeting government and critical infrastructure networks across 37 countries. The previously unknown group, dubbed TGR-STA-1030, begins its operations with targeted reconnaissance and gains initial access through phishing and exploitation of vulnerable public-facing systems.

Once inside a network, the group establishes a foothold using web shells such as Behinder, Neo‑reGeorg, and Godzilla, publicly available tools used to maintain remote access on compromised servers. To further conceal its presence, TGR-STA-1030 obfuscates its Godzilla web shells with code from an open-source tool, Tas9er, which alters function names and adds filler content to evade detection.

After securing access, the group deploys a custom Extended Berkeley Packet Filter (eBPF) rootkit, named ShadowGuard, on Linux systems. This implant provides long-term persistence by hiding processes, intercepting system calls, and monitoring system activity in ways that blend into legitimate kernel operations.

For command-and-control, TGR-STA-1030 routinely leases infrastructure from legitimate virtual private server (VPS) providers. The group often selects servers in countries where hosting activity appears more legitimate to defenders, such as the U.S., the U.K., and Singapore.

Historically, the group relied heavily on Cobalt Strike for post-exploitation, but has since shifted to VShell. The Go-based framework's traffic patterns and process behavior blend more easily with normal system activity.

More recently, the group has experimented with other frameworks, such as Havoc, SparkRat, and Sliver, indicating an active effort to rotate tooling and avoid signature-based detection.

Analysis & mitigation

The shift toward Go-based tooling gives this and other threat actors more room to operate undetected. Go binaries are bulky, cross‑platform, and difficult to fingerprint, making them harder for EDR solutions to analyze and less likely to trigger traditional detections. For defenders, this means legacy Cobalt Strike-centric signatures are no longer sufficient. Visibility into outbound ports, process behavior, parent/child anomalies, and network patterns is increasingly important. 

The group’s use of a custom eBPF rootkit poses particular risk to environments where Linux systems support authentication, orchestration, and shared management infrastructure. A compromise at this layer increases the likelihood of lateral movement into managed environments, making kernel-level visibility and strict control over eBPF usage essential. eBPF implants are inherently hard to detect, portable across modern Linux distributions, and well‑suited for espionage operations.

Field Effect MDR provides broad visibility across the full intrusion chain, detecting early access attempts through abnormal authentication activity and exploitation of internet-facing systems. Its behavioral analytics identify stealthy command-and-control activity from frameworks like VShell by flagging unusual outbound connections, high ephemeral ports, and suspicious process-to-network relationships. Combined with identity monitoring, lateral movement detection, and rapid analyst-led containment, Field Effect MDR reduces attacker dwell time and limits the ability of groups like TGR-STA-1030 to maintain persistence or pivot through shared infrastructure. 

To further reduce risk, organizations could enforce phishing-resistant authentication, tightly restrict remote access pathways, and ensure rapid patching cycles for internet-facing Linux systems. Where possible, defenders should enable kernel level telemetry and watch for any unauthorized eBPF program loading. eBPF itself should be limited to trusted administrative functions, with strict controls around privileged capabilities. Finally, strengthening identity security through enhanced logging and regular reviews of privileged accounts will help detect misuse earlier and limit the blast radius of a compromise.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up