China-Linked Hackers Target 8 Asian Governments, NATO State, Journalists, and Activists
Cybersecurity researchers have unveiled a sophisticated espionage campaign linked to Chinese threat actors, focusing on government and defense sectors across South, East, and Southeast Asia, as well as one NATO member state in Europe. This development underscores the ongoing geopolitical tensions and the increasing sophistication of cyber threats in the region.
Overview of the SHADOW-EARTH-053 Campaign
Trend Micro has identified this activity as part of a threat cluster designated SHADOW-EARTH-053, believed to have been operational since at least December 2024. This group exhibits some overlap with other known threat actors, including CL-STA-0049, Earth Alux, and REF7707. The campaign primarily exploits vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers, particularly leveraging the ProxyLogon exploit chain.
According to security researchers Daniel Lunghi and Lucas Silva, the group utilizes N-day vulnerabilities to gain access to unpatched systems. They deploy web shells, specifically Godzilla, to maintain persistent access and subsequently introduce ShadowPad implants through DLL sideloading of legitimate signed executables.
The campaign has targeted several nations, including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with Poland being the only European country affected. Notably, nearly half of the identified targets in Malaysia, Sri Lanka, and Myanmar had previously been compromised by a related intrusion set known as SHADOW-EARTH-054. However, no direct operational coordination between the two groups has been established.
Technical Mechanisms of the Attack
The initial phase of the attacks involves exploiting known security flaws to breach systems and deploy web shells like Godzilla, which serve as a vehicle for executing commands and conducting reconnaissance. This ultimately leads to the deployment of the ShadowPad backdoor via AnyDesk, utilizing DLL side-loading techniques.
In one instance, the exploitation of the React2Shell vulnerability (CVE-2025-55182) facilitated the distribution of a Linux variant of Noodle RAT. This particular attack chain has been linked to a group identified as UNC6595 by the Google threat intelligence Group.
Additionally, the attackers employ open-source tunneling tools such as IOX, GO Simple Tunnel (GOST), and Wstunnel, along with RingQ to obfuscate malicious binaries and evade detection. For privilege escalation, the group has utilized Mimikatz, while lateral movement is achieved through a custom remote desktop protocol (RDP) launcher and a C# implementation of SMBExec known as Sharp-SMBExec.
Trend Micro emphasizes that the primary entry vector for this campaign involves vulnerabilities in internet-facing IIS applications. Organizations are urged to prioritize the application of the latest security updates and cumulative patches for Microsoft Exchange and any web applications hosted on IIS. In cases where immediate patching is not feasible, deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with tailored rulesets to block exploit attempts against known CVEs is strongly recommended.
GLITTER CARP and SEQUIN CARP: Targeting Journalists and Activists
In a related development, the Citizen Lab has reported on a new phishing campaign executed by two distinct China-affiliated threat actors, targeting journalists and civil society activists, including those from the Uyghur, Tibetan, Taiwanese, and Hong Kong communities. These campaigns, identified as GLITTER CARP and SEQUIN CARP, were first detected in April and June 2025, respectively.
GLITTER CARP has specifically targeted the International Consortium of Investigative Journalists (ICIJ), while SEQUIN CARP has focused on ICIJ journalist Scilla Alecci and other international journalists covering topics of significant interest to the Chinese government. The actors employ sophisticated digital impersonation tactics in phishing emails, mimicking known individuals and tech company security alerts.
The phishing campaigns have also been linked to broader efforts targeting the Taiwanese semiconductor industry, previously documented under the name UNK_SparkyCarp. SEQUIN CARP shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH.
The primary objective of these campaigns is to gain initial access to email accounts through credential harvesting, phishing pages, or social engineering tactics. GLITTER CARP’s phishing emails utilize 1×1 tracking pixels to gather device information and confirm whether the emails were opened by recipients.
The Citizen Lab observed concurrent targeting of specific organizations using both the AiTM phishing kit and the delivery of HealthKick through different phishing tactics by a separate group. This indicates a level of overlap between these groups, although the exact nature of their relationship remains unclear.
Implications for Cybersecurity and Geopolitical Landscape
The activities of SHADOW-EARTH-053, GLITTER CARP, and SEQUIN CARP highlight the increasing complexity and coordination of cyber espionage efforts linked to state actors. The breadth of targeting observed in these campaigns aligns with the intelligence priorities of the Chinese government, suggesting a systematic approach to digital transnational repression.
The implications for cybersecurity are profound, as organizations in affected regions must navigate a landscape of evolving threats. The use of sophisticated techniques, including impersonation and exploitation of known vulnerabilities, underscores the need for robust cybersecurity measures and proactive threat intelligence.
As cyber threats continue to evolve, the international community must remain vigilant and collaborative in addressing these challenges. The documented activities of these threat actors serve as a reminder of the ongoing risks posed by state-sponsored cyber operations.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
