Cybersecurity researchers have unveiled intricate details of a persistent and far-reaching cyber espionage campaign, attributed to China-aligned threat actors, that has systematically targeted government and defense sectors across South, East, and Southeast Asia, alongside a NATO member in Europe. This multi-pronged offensive highlights the escalating sophistication and breadth of state-sponsored cyber activities aimed at strategic intelligence gathering and the suppression of critical narratives.
Unmasking SHADOW-EARTH-053: A Persistent Espionage Threat
Trend Micro, a leading cybersecurity firm, has been tracking one of the primary threat activity clusters under the provisional designation SHADOW-EARTH-053. This adversarial collective is believed to have been actively operating since at least December 2024, demonstrating a consistent focus on high-value targets. The group exhibits significant network overlap with other known China-linked entities, including CL-STA-0049, Earth Alux, and REF7707, suggesting either shared infrastructure, common tactical approaches, or even direct coordination within a broader state-sponsored ecosystem.
The modus operandi of SHADOW-EARTH-053 involves a calculated exploitation of known, or "N-day," vulnerabilities in widely used internet-facing infrastructure. Specifically, Microsoft Exchange and Internet Information Services (IIS) servers have been identified as primary entry points. The group capitalizes on unpatched systems, leveraging critical flaws such as the infamous ProxyLogon chain, which has been a recurring vector for state-sponsored attacks since its widespread disclosure. Once initial access is gained, the attackers deploy sophisticated web shells, notably Godzilla, to establish persistent remote access. These web shells serve as crucial conduits for command execution, allowing the attackers to conduct extensive reconnaissance within compromised networks. The ultimate objective of this initial phase is the deployment of advanced implants, such as ShadowPad, often facilitated through DLL sideloading of legitimate, signed executables to evade detection.
Daniel Lunghi and Lucas Silva, security researchers at Trend Micro, underscored the group’s methodical approach in their detailed analysis, emphasizing the blend of known exploits with advanced malware deployment techniques. This strategy allows the threat actors to maintain a low profile while ensuring robust, long-term access to target environments.
Geographic Scope and Strategic Targets
The geographical spread of SHADOW-EARTH-053’s operations is strategically significant, reflecting China’s broader geopolitical interests. Countries targeted include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan – nations often at the nexus of regional power dynamics, economic initiatives like the Belt and Road, or territorial disputes. The inclusion of Poland, a NATO member, as the lone European country in the victimology footprint, further broadens the implications, suggesting an interest beyond immediate regional concerns, potentially related to NATO intelligence, European Union policies, or critical infrastructure connections.
Adding another layer of complexity, Trend Micro observed that nearly half of the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, had also been compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054. While direct operational coordination between the two groups has not been definitively established, this overlap points to a concentrated, possibly compartmentalized, effort targeting specific entities or sectors within these nations. The consistent targeting of these countries underscores their strategic importance in the geopolitical landscape of Asia, particularly concerning maritime routes, economic development, and regional alliances.
Arsenal of Tools and Techniques
The initial breach, as previously noted, relies heavily on exploiting N-day vulnerabilities in unpatched systems. Following successful exploitation, web shells like Godzilla provide the foundational persistent access. These web shells are not merely backdoors but sophisticated platforms enabling command execution, file management, and further payload delivery. The subsequent deployment of the ShadowPad backdoor, often facilitated through remote access tools like AnyDesk, showcases the group’s preference for modular, highly configurable malware that can adapt to different target environments. The use of DLL sideloading is a common evasion technique, leveraging trusted processes to load malicious libraries, thereby bypassing traditional security controls.
Beyond these core tools, the campaign demonstrates a diverse and evolving arsenal. In at least one documented instance, the weaponization of the React2Shell vulnerability (CVE-2025-55182) reportedly facilitated the distribution of a Linux variant of Noodle RAT, also known as ANGRYREBEL and Nood RAT. This particular attack chain has been linked by the Google Threat Intelligence Group (GTIG) to UNC6595, further illustrating the interconnectedness of various China-aligned threat groups and their shared tactical approaches. The ability to deploy cross-platform malware like Noodle RAT underscores the attackers’ adaptability and capacity to target diverse operating environments, including critical Linux-based servers.
For maintaining stealth and ensuring data exfiltration, the threat actors utilize various open-source tunneling tools such as IOX, GO Simple Tunnel (GOST), and Wstunnel. These tools allow for encrypted communication and obfuscation of command-and-control (C2) traffic, making detection and blocking more challenging for defenders. To further evade security solutions, techniques like using RingQ to pack malicious binaries are employed. For privilege escalation within compromised networks, the group leverages well-known tools like Mimikatz, designed to extract credentials from memory. Lateral movement, a critical phase in any espionage operation, is achieved using a custom remote desktop protocol (RDP) launcher and a C# implementation of SMBExec, known as Sharp-SMBExec, which enables remote execution of commands over SMB.
GLITTER CARP and SEQUIN CARP: Targeting Civil Society and Journalists
The comprehensive disclosure by Trend Micro coincides with a parallel report from Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, which shed light on another set of China-affiliated threat actors focusing on digital transnational repression. These distinct groups, codenamed GLITTER CARP and SEQUIN CARP, have launched new phishing campaigns specifically targeting and impersonating journalists and civil society members. Their targets include Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists – groups often critical of the Chinese government’s policies. These wide-ranging campaigns were first detected in April and June 2025, respectively.
GLITTER CARP has notably singled out the International Consortium of Investigative Journalists (ICIJ), an organization renowned for its investigative journalism, including the Panama Papers and Pandora Papers. SEQUIN CARP, on the other hand, specifically targeted ICIJ journalist Scilla Alecci and other international journalists who cover topics deemed sensitive or of critical interest to the Chinese government.
Citizen Lab’s research revealed a sophisticated approach to digital impersonation, leveraging "well-thought-out digital impersonation schemes in phishing emails." These schemes include impersonating known individuals within the targets’ professional networks or mimicking legitimate tech company security alerts. A concerning aspect highlighted by Citizen Lab is the consistent reuse of infrastructure and tactics across different cases, frequently employing the same domains and impersonated individuals for multiple targets. This efficiency suggests a coordinated effort and a centralized approach to campaign management.
Overlap and Evolution of Threat Actors
The connections between these various threat clusters underscore a complex and dynamic landscape of state-sponsored cyber operations. GLITTER CARP, beyond its broad-scale phishing attacks against civil society, has also been linked to phishing campaigns targeting Taiwan’s strategically vital semiconductor industry. Aspects of these efforts were previously documented by Proofpoint in July 2025 under the designation UNK_SparkyCarp. This dual targeting of both civil society and critical industries highlights the multifaceted objectives of China-aligned groups.
SEQUIN CARP, while distinct, shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH. Such overlaps and shared characteristics are common in state-sponsored cyber espionage, where different units or contractors may employ similar tools, techniques, or even share intelligence and infrastructure.
The primary goal of these civil society-focused campaigns is to gain initial access to email-based accounts through various methods: credential harvesting via deceptive phishing pages, direct phishing attacks, or socially engineering targets into granting access via third-party OAuth tokens. GLITTER CARP’s phishing emails also incorporate 1×1 tracking pixels, which point to a URL on the attacker’s domain. These pixels serve a dual purpose: to gather device information and, crucially, to confirm if the emails were opened by the recipients, thereby validating target engagement and refining future attack strategies.
Citizen Lab’s analysis noted "concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch)." This observation strongly suggests a degree of operational overlap between these groups, although the precise nature of their relationship—whether direct collaboration, shared resources, or simply aligned objectives—remains a subject of ongoing investigation.
Implications and Defensive Strategies
The revelations from Trend Micro and Citizen Lab paint a stark picture of persistent and pervasive cyber espionage, underscoring the severe threats posed to national security, economic stability, and human rights globally. The targeting of government and defense sectors can compromise sensitive intelligence, undermine strategic advantages, and expose critical infrastructure. Simultaneously, the targeting of journalists and activists represents a direct assault on freedom of expression and democratic principles, enabling digital transnational repression.
Cybersecurity experts universally emphasize the critical importance of proactive defense. Trend Micro specifically recommended that organizations prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and all web applications hosted on IIS. Given that N-day vulnerabilities are a primary entry vector, rigorous patch management is non-negotiable. In scenarios where immediate patching is not feasible, deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against known CVEs (a practice known as "virtual patching") can offer a vital temporary shield.
Beyond technical solutions, broader strategies are essential. Implementing multi-factor authentication (MFA) across all accounts, particularly for privileged access and email, can significantly mitigate the impact of credential harvesting. Employee training on phishing awareness, especially concerning sophisticated impersonation tactics, is crucial for protecting civil society organizations and media outlets. Regular security audits, robust network segmentation, and continuous threat intelligence sharing are also paramount in building resilient cyber defenses against such persistent and adaptive adversaries.
Broader Context and Geopolitical Significance
These campaigns are not isolated incidents but rather part of a larger pattern of state-sponsored cyber operations linked to China. The motivations are multi-layered: to gain geopolitical advantage, acquire sensitive economic and technological intellectual property, monitor dissidents, and influence international narratives. The use of commercial entities or contractors, as suggested by Citizen Lab, adds another layer of deniability and complexity to attribution, making it challenging to definitively link attacks directly to state apparatuses. This "commercialization" of state-sponsored hacking blurs the lines and complicates international responses.
The targeting of nations in South and Southeast Asia reflects China’s strategic interests in the region, including maritime claims in the South China Sea, economic influence through initiatives like the Belt and Road, and regional security dynamics. The inclusion of Taiwan, a self-governing democracy claimed by Beijing, is particularly significant, underscoring ongoing intelligence efforts against the island’s government and critical industries. Poland’s presence on the target list suggests an expansion of intelligence collection beyond immediate regional concerns, potentially indicating an interest in NATO operations, European political developments, or supply chain vulnerabilities.
The relentless targeting of Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities, alongside international journalists investigating China-related issues, highlights Beijing’s concerted efforts to control information and suppress dissent globally. This digital repression extends the reach of state control beyond national borders, impacting human rights and democratic freedoms in a transnational context.
As the digital landscape continues to evolve, the threat from sophisticated, state-aligned cyber actors remains a critical challenge. These latest disclosures underscore the urgent need for enhanced international cooperation, robust defensive postures, and continued vigilance against the multifaceted and evolving nature of cyber espionage. The ongoing cat-and-mouse game between threat actors and defenders will undoubtedly shape the future of cybersecurity and international relations.