China-aligned hackers have targeted government and defence sectors across South, East and Southeast Asia, along with a NATO member in Europe, in a fresh cyber espionage campaign.
The activity has been attributed to a threat cluster tracked as “SHADOW-EARTH-053”, which researchers assess has been active since at least December 2024. The campaign shows overlaps with previously identified groups, including Earth Alux and REF7707.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Known Vulnerabilities Used to Breach Networks
The campaign primarily exploits known vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services systems to breach unpatched networks.
Security researchers stated that the group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers, then deploys web shells for persistent access and stages ShadowPad implants. Countries identified as targets include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan and Pakistan. Poland was named as the only European nation affected.
ShadowPad Malware and Remote Access Tools Deployed
The attackers deploy web shells such as “Godzilla” to maintain remote access and later install the ShadowPad malware using DLL side-loading techniques. The report said the attackers often leverage legitimate signed executables to evade detection.
The intrusions begin with the exploitation of security flaws to gain initial access, followed by reconnaissance and lateral movement using tools such as Mimikatz and custom remote desktop protocol launchers.
In some cases, the campaign also involved the exploitation of a vulnerability dubbed “React2Shell” to distribute a Linux variant of Noodle RAT, a remote access trojan. The attack chain has also been linked by other researchers to a group known as “UNC6595”.
Overlaps With Other Intrusion Sets
The report noted overlaps with another intrusion set, “SHADOW-EARTH-054”, with nearly half of the observed targets, particularly in Malaysia, Sri Lanka and Myanmar, having been previously compromised. However, no direct operational coordination has been confirmed.
In order to evade detection and maintain persistence, the attackers also used open-source tunnelling tools such as IOX, GOST and Wstunnel, along with packing utilities to conceal malicious binaries. Trend Micro advised organisations to prioritise patching of Microsoft Exchange and IIS systems and deploy intrusion prevention or web application firewall solutions where immediate updates are not feasible.
Researchers also flagged phishing campaigns by two other China-linked groups, dubbed “GLITTER CARP” and “SEQUIN CARP”, targeting journalists and civil society groups. The campaigns, first detected in April and June 2025, impersonated journalists, organisations and technology firms in phishing emails aimed at stealing credentials or gaining access to accounts.
