Security researchers reveal two sophisticated China-aligned campaigns targeting government infrastructure across Asia and Europe, plus journalists and activists worldwide.
Cybersecurity researchers have disclosed details of a coordinated China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European NATO member state. The campaign, tracked by Trend Micro under the designation SHADOW-EARTH-053, represents a significant escalation in state-sponsored cyber operations against strategic targets.
"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," explained security researchers Daniel Lunghi and Lucas Silva in their analysis.
Government Targets Across Asia and Europe
The SHADOW-EARTH-053 campaign has compromised government networks in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country in the threat actor's victimology footprint is Poland, representing a notable expansion of Chinese cyber operations into NATO territory.
"We observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054," the researchers noted. "However, no evidence of direct operational coordination has been observed between these groups."
Technical Analysis of Attack Methods
The campaign begins with exploitation of known security flaws in unpatched systems, followed by deployment of web shells like Godzilla to establish persistent remote access. These web shells serve as delivery vehicles for command execution, enabling reconnaissance and ultimately deploying the ShadowPad backdoor via AnyDesk.
"The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications," Trend Micro emphasized in their report. "Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS."
In at least one case, the attackers weaponized React2Shell (CVE-2025-55182) to distribute a Linux version of Noodle RAT (also known as ANGRYREBEL and Nood RAT). The Google Threat Intelligence Group (GTIG) has linked this attack chain to a group designated UNC6595.
The campaign also employs open-source tunneling tools like IOX, GO Simple Tunnel (GOST), and Wstunnel, along with RingQ to pack malicious binaries and evade detection. For privilege escalation, SHADOW-EARTH-053 uses Mimikatz, while lateral movement is accomplished through a custom remote desktop protocol (RDP) launcher and a C# implementation of SMBExec known as Sharp-SMBExec.
Separate Campaigns Target Journalists and Activists
Simultaneously, researchers at Citizen Lab have identified two distinct China-affiliated phishing campaigns targeting journalists and civil society organizations, particularly those representing Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities.
These campaigns, codenamed GLITTER CARP and SEQUIN CARP, were first detected in April and June 2025, respectively. GLITTER CARP has specifically targeted the International Consortium of Investigative Journalists (ICIJ), while SEQUIN CARP focused on ICIJ journalist Scilla Alecci and other international journalists covering topics of interest to the Chinese government.
"The actor employs well-thought-out digital impersonation schemes in phishing emails, including impersonation of known individuals and tech company security alerts," Citizen Lab researchers explained. "Although the targeted groups vary, this activity employs the same infrastructure and tactics across all cases, frequently reusing the same domains and same impersonated individuals across multiple targets."
GLITTER CARP has also been linked to phishing campaigns targeting the Taiwanese semiconductor industry, with some aspects previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP shares characteristics with groups tracked by Volexity as UTA0388 and by Trend Micro as TAOTH.
Sophisticated Phishing Techniques
The end goal of these campaigns is to gain initial access to email accounts through credential harvesting, phishing pages, or social engineering targets into granting third-party OAuth token access. GLITTER CARP's phishing emails include 1x1 tracking pixels pointing to URLs on attacker domains to gather device information and confirm email opens.
"Our analysis of the GLITTER CARP and SEQUIN CARP attacks shows that digital transnational repression increasingly operates through a distributed network of actors," Citizen Lab stated. "The targets we identified in both campaigns align with the intelligence priorities of the Chinese government."
The research unit suggests that "commercial entities hired by the Chinese state may have been behind both clusters of activity," indicating a potential privatization of cyber espionage operations.
Recommendations for Organizations
Security experts emphasize several critical defensive measures:
- Patch Management: Prioritize applying security updates to Microsoft Exchange and IIS applications
- Network Segmentation: Isolate sensitive government and defense networks from internet-facing systems
- Email Security: Implement advanced filtering to detect sophisticated phishing attempts
- Multi-Factor Authentication: Require MFA for all email and critical system access
- Endpoint Detection: Deploy solutions capable of detecting web shells and living-off-the-land techniques
- Threat Intelligence: Monitor for indicators of compromise associated with these campaigns
"In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching)," Trend Micro advises.
The coordinated nature of these campaigns highlights the increasing sophistication of China-aligned cyber operations and their expanding focus beyond traditional military and intelligence targets to include journalists and activists who may be critical of Chinese policies.
For organizations in the affected regions, particularly those in government, defense, and media sectors, these disclosures underscore the critical importance of maintaining robust cybersecurity postures and staying vigilant against evolving threats.
Comments
Please log in or register to join the discussion