Cybersecurity experts have revealed details of a fresh espionage operation linked to China, aimed at government and defense organizations across South, East, and Southeast Asia, as well as one European NATO member state.
Trend Micro has linked the campaign to a threat group it is temporarily calling SHADOW-EARTH-053. This hacking collective is believed to have been operating since at least December 2024 and shows some network connections to other known groups: CL-STA-0049, Earth Alux, and REF7707.
“The attackers take advantage of publicly known vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (such as the ProxyLogon chain), then install web shells (Godzilla) for long-term access and deploy ShadowPad implants by hijacking legitimate signed executables through DLL sideloading,” explained security researchers Daniel Lunghi and Lucas Silva in their report.
The campaign’s targets span Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. Poland is the only European country identified among the victims.
Trend Micro noted that nearly half of the SHADOW-EARTH-053 targets—especially those in Malaysia, Sri Lanka, and Myanmar—had previously been breached by a related group called SHADOW-EARTH-054, though no direct coordination between the two has been confirmed.
The attacks begin with exploiting known security weaknesses to break into unpatched systems and plant web shells like Godzilla, which provide persistent remote access. These web shells serve as a channel for running commands, conducting reconnaissance, and ultimately installing the ShadowPad backdoor via AnyDesk. The malware is executed using DLL side-loading techniques.
In at least one instance, the exploitation of React2Shell (CVE-2025-55182) enabled the delivery of a Linux variant of Noodle RAT (also known as ANGRYREBEL and Nood RAT). It is worth noting that Google Threat Intelligence Group (GTIG) connected this attack chain to a group identified as UNC6595.
The attackers also leverage open-source tunneling tools such as IOX, GO Simple Tunnel (GOST), and Wstunnel, along with RingQ to obfuscate malicious files and avoid detection. For privilege escalation, SHADOW-EARTH-053 uses Mimikatz, while lateral movement across networks is achieved through a custom remote desktop protocol (RDP) launcher and a C# implementation of SMBExec called Sharp-SMBExec.
“The main attack vector in this campaign was vulnerabilities in internet-facing IIS applications,” Trend Micro stated. “Organizations should make it a priority to apply the latest security updates and cumulative patches to Microsoft Exchange and any web applications running on IIS.”
“When immediate patching is not possible, we strongly advise deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically configured to block exploit attempts targeting these known CVEs (Virtual Patching).”
GLITTER CARP and SEQUIN CARP Target Activists and Journalists
This disclosure follows Citizen Lab’s identification of a new phishing campaign carried out by two separate China-linked threat actors, both impersonating journalists and civil society figures, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. The broad campaigns were first detected in April and June 2025, respectively.
The two groups have been named GLITTER CARP, which focused on the International Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP, whose primary target was ICIJ journalist Scilla Alecci along with other international journalists covering topics sensitive to the Chinese government.
“The actor uses carefully crafted digital impersonation tactics in phishing emails, including posing as known individuals and mimicking tech company security alerts,” Citizen Lab reported. “While the targeted groups differ, the same infrastructure and methods are used across all cases, with the same domains and impersonated individuals frequently reused against multiple targets.”
Beyond its wide-ranging phishing operations, GLITTER CARP has also been linked to phishing attacks targeting the semiconductor industry in Taiwan. Some elements of these efforts were previously reported by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP (also called UNK_DualTone) shares characteristics with a group tracked by Volexity as UTA0388 and an intrusion set described by Trend Micro as TAOTH.
The ultimate objective of these campaigns is to gain initial access to email accounts through credential harvesting, phishing pages, or by tricking targets into granting access to a third-party OAuth token. GLITTER CARP’s phishing emails also incorporate 1×1 tracking pixels that link to a URL on the attacker’s domain to collect device information and verify whether the emails were opened.
Citizen Lab noted that it “observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch).” This suggests some degree of overlap between these groups, the report added, though the exact nature of their relationship remains unclear.
“Our analysis of the GLITTER CARP and SEQUIN CARP attacks demonstrates that digital transnational repression is increasingly carried out through a distributed network of actors,” the research unit stated. “The targets identified in both GLITTER CARP and SEQUIN CARP align with the intelligence priorities of the Chinese government.”
“The scope of targeting documented in this report and by others, combined with available information on China’s past and current use of contractors that mirrors the activity we have observed, suggests with moderate confidence that commercial entities hired by the Chinese state may be responsible for both clusters of activity described here.”
When asked for comment, Mark Kelly, staff threat researcher at Proofpoint, told The Hacker News via email that both UNK_SparkyCarp and UNK_DualTone have conducted identity-focused phishing against a variety of targets, describing the targeting of civil society members as likely a “longstanding feature of these groups’ targeting” rather than a recent change in direction
