China-aligned hackers have launched a cyber espionage campaign targeting government and defence sectors in South, East, and Southeast Asia, as well as a NATO member in Europe. The hackers, identified as ‘SHADOW-EARTH-053’, have been active since at least December 2024 and exploit vulnerabilities in Microsoft Exchange Server and Internet Information Services (IIS) systems to infiltrate networks.
Security researchers revealed that the group exploits N-day vulnerabilities in these systems to gain access, deploy web shells for persistent control, and install ShadowPad implants. Countries affected by these attacks include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, Pakistan, and Poland in Europe.
The attackers use tactics like deploying web shells named ‘Godzilla’ for remote access, installing ShadowPad malware using DLL side-loading techniques, and leveraging legitimate executables to avoid detection. They also employ tools like Mimikatz and custom remote desktop protocol launchers for reconnaissance and lateral movement within compromised networks.
In addition to targeting vulnerabilities in Microsoft systems, the hackers have exploited a vulnerability known as ‘React2Shell’ to distribute a Linux variant of the Noodle RAT trojan. The intrusion set, ‘SHADOW-EARTH-054’, shares similarities with ‘SHADOW-EARTH-053’, with a significant number of targets in Malaysia, Sri Lanka, and Myanmar, although direct operational coordination has not been confirmed.
To evade detection, the hackers utilize open-source tunnelling tools like IOX, GOST, and Wstunnel, along with packing utilities to hide malicious binaries. Trend Micro recommends organizations to prioritize patching Microsoft Exchange and IIS systems and deploy intrusion prevention or web application firewall solutions where immediate updates are not possible.
Researchers have also identified phishing campaigns by two other China-linked groups, ‘GLITTER CARP’ and ‘SEQUIN CARP’, targeting journalists and civil society groups. These campaigns, detected in April and June 2025, involve impersonating journalists, organizations, and technology firms in phishing emails to steal credentials or gain unauthorized access.
