"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said.
SHADOW-EARTH-053: a China-aligned espionage cluster active since December 2024
Security vendor Trend Micro has published an analysis attributing an espionage campaign to a cluster it temporarily designates SHADOW-EARTH-053. The vendor assesses the collective has been active since at least December 2024 and observed network overlap with other intrusion sets including CL-STA-0049, Earth Alux, and REF7707. Trend Micro reported that the group focuses on exploiting unpatched, internet-facing services to obtain persistent remote access and to stage further implants.
Techniques, tooling, and malware observed in the intrusions
Trend Micro described a repeated chain of operations: exploitation of known vulnerabilities in internet-exposed Microsoft Exchange and IIS applications, deployment of web shells (notably a web shell called Godzilla), and the eventual deployment of the ShadowPad backdoor via DLL sideloading of legitimately signed binaries. The attackers reportedly use AnyDesk to stage ShadowPad.
Other tooling observed includes tunneling and evasion utilities such as IOX, GO Simple Tunnel (GOST), and Wstunnel, and a packer named RingQ to obfuscate malicious binaries. For privilege escalation the actors have used Mimikatz; for lateral movement they employed a custom remote desktop protocol (RDP) launcher and a C# SMBExec implementation called Sharp-SMBExec.
In at least one incident a weaponized React2Shell exploit (CVE-2025-55182) facilitated distribution of a Linux variant of Noodle RAT (also referenced as ANGRYREBEL or Nood RAT). The Google Threat Intelligence Group linked that particular attack chain to a group it calls UNC6595, according to the reporting.
Targets across South, East, Southeast Asia — and one NATO state
Trend Micro lists country-level victimology that spans Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country named among victims is Poland. The vendor also reported that nearly half of SHADOW-EARTH-053 targets—particularly organizations in Malaysia, Sri Lanka, and Myanmar—had been compromised earlier by a related intrusion set Trend Micro calls SHADOW-EARTH-054, though the analysis found no evidence of direct operational coordination between the two clusters.
GLITTER CARP and SEQUIN CARP: phishing campaigns against journalists and activists
Separately, Citizen Lab disclosed two China-affiliated phishing clusters codenamed GLITTER CARP and SEQUIN CARP that impersonated journalists and civil-society actors, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. Detected in April and June 2025, GLITTER CARP singled out the International Consortium of Investigative Journalists (ICIJ), while SEQUIN CARP primarily targeted ICIJ journalist Scilla Alecci and other international reporters covering topics of interest to the Chinese government.
Citizen Lab found these clusters use "well-thought-out digital impersonation schemes" in phishing emails, including impersonations of known individuals and tech company security alerts. Tactics include credential-harvesting pages, social-engineering the target into granting third-party OAuth tokens, and use of 1x1 tracking pixels that reach back to attacker-controlled domains to confirm when emails are opened. Citizen Lab also noted reuse of domains and impersonated identities across multiple campaigns, and observed concurrent use of an AiTM phishing kit (linked to GLITTER CARP and UNK_SparkyCarp) and separate delivery of a payload named HealthKick (by a group Citizen Lab refers to as UNK_DropPitch).
Citizen Lab concluded that the pattern of targeting and infrastructure reuse "suggests with a medium level of confidence that commercial entities hired by the Chinese state may have been behind both clusters of activity described here."
What this means for technologists, policymakers, and journalists/activists
- Technologists and security teams: Trend Micro recommends prioritizing the latest security updates and cumulative patches for Microsoft Exchange and any web applications hosted on IIS. Where immediate patching is infeasible, the vendor advises deploying Intrusion Prevention Systems or Web Application Firewalls with rulesets tuned to block exploit attempts against the known CVEs (a form of virtual patching).
- Policymakers and regulators: The cross-border victimology—countries across South, East, and Southeast Asia plus Poland—and the reported overlap between intrusion sets will likely prompt attention to supply-chain and cross-border cyber incident reporting, particularly where commercial actors may be contracted to perform offensive operations.
- Journalists, activists, and civil-society groups: Citizen Lab's findings underline persistent phishing and digital-impersonation threats, including credential harvesting and AiTM kits, and the use of tracking pixels and OAuth social engineering to obtain access to email and account data.
The two disclosures together outline dual but related threats: an infrastructure-focused espionage campaign that leverages unpatched internet-facing servers and a parallel phishing-driven effort targeting sensitive civil-society and journalistic communities. Both rely on well-established methods—vulnerability chaining, web shells, DLL sideloading, tunneling, and social-engineered credential collection—underscoring the practical steps Trend Micro and Citizen Lab recommend: patching, virtual patching via IPS/WAF, and heightened email-security vigilance for high-risk targets.
Source: https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html
