Cybersecurity researchers have uncovered a significant espionage campaign orchestrated by China-aligned actors targeting government and defense sectors across Asia and one NATO member in Europe. This sophisticated operation, tracked as SHADOW-EARTH-053, demonstrates a persistent threat to sensitive information.
The campaign, active since at least December 2024, exploits known vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers. Trend Micro, which attributes the activity to a specific cluster, reported that the adversaries gained persistent access through web shells like Godzilla and deployed ShadowPad implants via DLL sideloading, a technique that masks malicious code within legitimate software.
China-Aligned Hackers Target Asian Governments and NATO Member
The primary targets of the SHADOW-EARTH-053 campaign are located in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. This extensive reach into South, East, and Southeast Asia highlights a broad intelligence-gathering objective. Poland is the sole European nation identified within the victimology footprint of this threat actor.
Trend Micro also noted that nearly half of the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, had previously been compromised by a related intrusion set known as SHADOW-EARTH-054. While evidence of direct operational coordination between these two groups remains elusive, the shared victim pool suggests a possible connection or at least a shared interest in the same geopolitical regions.
The initial breach method for these attacks relies on exploiting unpatched security flaws in critical infrastructure. Once inside, attackers deploy web shells to maintain remote access, facilitating reconnaissance and the subsequent deployment of the ShadowPad backdoor. This backdoor is often launched using AnyDesk in conjunction with DLL side-loading, a technique that leverages the Windows dynamic-link library mechanism to execute malicious code.
In certain instances, particularly concerning the exploitation of React2Shell (CVE-2025-55182), the campaign has also facilitated the distribution of a Linux variant of the Noodle RAT, also known as ANGRYREBEL or Nood RAT. The Google Threat Intelligence Group (GTIG) has previously linked this specific attack chain to a threat actor group designated as UNC6595.
Furthermore, the attackers are employing open-source tunneling tools like IOX, GO Simple Tunnel (GOST), and Wstunnel, alongside RingQ for packing malicious binaries and evading detection by security software. For privilege escalation, the SHADOW-EARTH-053 group has been observed utilizing Mimikatz, a well-known tool for extracting credentials. Lateral movement within compromised networks is achieved through a custom remote desktop protocol (RDP) launcher and a C# implementation of SMBExec called Sharp-SMBExec.
Trend Micro strongly advises organizations to prioritize the application of the latest security updates and cumulative patches for Microsoft Exchange and any web applications hosted on IIS. In situations where immediate patching is not feasible, the deployment of Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets tuned to block exploit attempts against known vulnerabilities, a practice known as virtual patching, is recommended.
Additional Campaigns Target Activists and Journalists
The disclosure of the SHADOW-EARTH-053 campaign coincides with a separate report from Citizen Lab detailing new phishing campaigns orchestrated by two distinct China-affiliated threat actors. These campaigns specifically target and impersonate journalists and civil society members, including activists from Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities. These wide-ranging attacks were first observed in April and June of 2025, respectively.
These threat actor clusters have been codenamed GLITTER CARP, which has notably targeted the International Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP, whose primary focus has been on ICIJ journalist Scilla Alecci and other international reporters covering topics of significant interest to the Chinese government. The targeting of individuals and organizations involved in investigative journalism and activism underscores a pattern of transnational repression.
According to Citizen Lab, these actors utilize sophisticated digital impersonation tactics within their phishing emails, including impersonating known individuals and disseminating fake security alerts from tech companies. Although the targeted groups vary, the observed activity shares common infrastructure and tactics, with frequent reuse of domains and impersonated individuals across multiple targets. This suggests a coordinated effort, even across seemingly distinct operations.
GLITTER CARP has been linked not only to broad-scale phishing attacks but also to campaigns targeting the Taiwanese semiconductor industry. Some aspects of these efforts were previously documented by Proofpoint as UNK_SparkyCarp. SEQUIN CARP, in contrast, exhibits similarities to a group tracked by Volexity as UTA0388 and an intrusion set that Trend Micro has detailed as TAOTH. This overlap indicates a complex ecosystem of state-sponsored or state-affiliated hacking operations.
The ultimate objective of these phishing campaigns is to gain initial access to email accounts through credential harvesting, specialized phishing pages, or social engineering tactics that trick targets into granting access to third-party OAuth tokens. GLITTER CARP’s phishing emails also incorporate 1×1 tracking pixels, which, when opened, send a request to a URL on the attacker’s domain to gather device information and confirm whether the email has been viewed by the recipient.
Citizen Lab observed concurrent targeting of specific organizations utilizing both the AiTM phishing kit (associated with GLITTER CARP and UNK_SparkyCarp) and the delivery of HealthKick malware through different phishing tactics by a separate group (UNK_DropPitch). This indicates a degree of overlap between these groups, though the precise nature of their relationship remains unclear. The research unit concluded that the targeting observed in both GLITTER CARP and SEQUIN CARP aligns with the intelligence priorities of the Chinese government.
The breadth of targeting documented in these reports, combined with information on China’s historical and ongoing use of contractors, suggests with a medium level of confidence that commercial entities hired by the Chinese state may be behind these observed clusters of activity. The distributed nature of these operations points to an evolving strategy that leverages a network of actors to achieve intelligence objectives.