Cybersecurity researchers have revealed details of a new Chinese-linked espionage operation targeting government and defense sectors across South, East and Southeast Asia, as well as European governments in NATO.
Trend Micro has determined that this activity is the result of a threat activity cluster tracked under the temporary designation SHADOW-EARTH-053. This hostile group is assessed to have been active since at least December 2024, sharing some network overlap with CL-STA-0049, Earth Alux, and REF7707.
“The group exploits N-day vulnerabilities in Internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (such as the ProxyLogon chain), deploys a web shell (Godzilla) for persistent access, and stages ShadowPad implants via DLL sideloading of legitimate signed executables,” security researchers Daniel Lunghi and Lucas Silva said in their analysis.
Countries targeted for the campaign include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. Poland is the only European country with a unique threat actor footprint.
The cybersecurity vendor confirmed that nearly half of SHADOW-EARTH-053’s targets, particularly those in Malaysia, Sri Lanka, and Myanmar, were previously compromised by a related set of intrusions known as SHADOW-EARTH-054, but said it observed no evidence of direct operational coordination.
The starting point for an attack is to exploit known security flaws to compromise unpatched systems and drop a Godzilla-like web shell to facilitate persistent remote access. The web shell acts as a delivery vehicle for command execution, enabling reconnaissance and ultimately leading to the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL sideloading.
In at least one case, weaponization of React2Shell (CVE-2025-55182) is said to have facilitated the distribution of Linux versions of Noodle RAT (also known as ANGRYREBEL and Nood RAT). It’s worth mentioning here that the Google Threat Intelligence Group (GTIG) has linked this attack chain to a group known as UNC6595.
It also uses open source tunneling tools such as IOX, GO Simple Tunnel (GOST), Wstunnel, and RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 is known to use Mimikatz, while lateral movement is accomplished using a custom Remote Desktop Protocol (RDP) launcher and a C# implementation of SMBExec known as Sharp-SMBExec.
“The primary entry vector used in this campaign was a vulnerability in an Internet-facing IIS application,” Trend Micro said. “Organizations should prioritize applying the latest security updates and cumulative patches to web applications hosted on Microsoft Exchange and IIS.”
“In scenarios where immediate patching is not possible, we strongly recommend deploying an intrusion prevention system (IPS) or web application firewall (WAF) with rulesets specifically tailored to block exploitation attempts against these known CVEs (virtual patches).”
GLITTER CARP and SEQUIN CARP target activists and journalists
The disclosure comes after Citizen Lab warned of new phishing campaigns carried out by two different China-linked threat actors targeting and impersonating journalists and civil society, including Uyghurs, Tibetans, Taiwanese and Hong Kong diaspora activists. This widespread campaign was first detected in April and June 2025, respectively.
The cluster was codenamed “GLITTER CARP,” which specifically identified the International Consortium of Investigative Journalists (ICIJ), and “SEQUIN CARP,” which primarily targeted ICIJ journalist Shira Aletsch and other international journalists writing about matters of significant interest to the Chinese government.
“The attackers are using well-thought-out digital impersonation schemes in their phishing emails, including impersonating known individuals and security alerts from tech companies,” Citizen Lab said. “Although the targeted groups vary, this campaign employs the same infrastructure and tactics in all cases, with the same domains and the same impersonated individuals frequently being reused across multiple targets.”
In addition to conducting large-scale phishing attacks, GLITTER CARP is also involved in phishing operations targeting the semiconductor industry in Taiwan. Some aspects of these efforts were previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP, on the other hand, shares similarities with the group tracked by Volexity as UTA0388 and the intrusion set detailed by Trend Micro as TAOTH.
The ultimate goal of the campaign is to gain initial access to email-based accounts through credential harvesting, phishing pages, or by socially engineering the target to grant access to third-party OAuth tokens. GLITTER CARP’s phishing emails also use a 1×1 tracking pixel that points to a URL on the attacker’s domain to collect device information and determine if it was opened by the recipient.
Citizen Lab said it “observed targeting specific organizations simultaneously using both AiTM phishing kits (GLITTER CARP, UNK_SparkyCarp) and HealthKick deliveries using various phishing tactics by another group (UNK_DropPitch).” This indicates that there is some overlap between these groups, but the exact nature of the relationship remains unclear, it added.
“Analysis of the GLITTER CARP and SEQUIN CARP attacks shows that digital transnational repression is increasingly working through distributed networks of attackers,” the research department said. “The targets we have identified in both GLITTER CARP and SEQUIN CARP are consistent with the Chinese government’s intelligence priorities.”
“The breadth of targets described in this and other reports, combined with available information on China’s past and current use of contractors that reflect the activities we observed, suggests with medium confidence that commercial entities hired by the Chinese state may be behind both groups of activities described here.”
Source link
