Cybersecurity researchers have disclosed particulars of a brand new China-aligned espionage marketing campaign focusing on authorities and protection sectors throughout South, East, and Southeast Asia, together with one European authorities belonging to NATO.
Pattern Micro has attributed the exercise to a menace exercise cluster it tracks beneath the short-term designation SHADOW-EARTH-053. The adversarial collective is assessed to be energetic since at the very least December 2024, whereas sharing some stage of community overlap with CL-STA-0049, Earth Alux, and REF7707.
“The group exploits N-day vulnerabilities in internet-facing Microsoft Trade and Web Data Providers (IIS) servers (e.g., ProxyLogon chain), then deploys net shells (Godzilla) for persistent entry and levels ShadowPad implants by way of DLL sideloading of respectable signed executables,” security researchers Daniel Lunghi and Lucas Silva mentioned in an evaluation.
Targets of the campaigns embody Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European nation that options within the menace actor’s victimology footprint is Poland.
The cybersecurity vendor mentioned it noticed almost half the SHADOW-EARTH-053 targets, significantly these in Malaysia, Sri Lanka, and Myanmar, additionally compromised earlier by a associated intrusion set dubbed SHADOW-EARTH-054, though no proof of direct operational coordination has been noticed.
The start line of the assaults is the exploitation of recognized security flaws to breach unpatched programs and drop net shells like Godzilla to facilitate persistent distant entry. The net shells perform as a supply automobile for command execution, enabling reconnaissance and finally ensuing within the deployment of the ShadowPad backdoor by way of AnyDesk. The malware is launched utilizing DLL side-loading.
In at the very least one case, the weaponization of the React2Shell (CVE-2025-55182) is claimed to have facilitated the distribution of a Linux model of Noodle RAT (aka ANGRYREBEL and Nood RAT). It is price mentioning right here that the Google Risk Intelligence Group (GTIG) linked this assault chain to a bunch referred to as UNC6595.
Additionally put to make use of are open-source tunneling instruments just like the IOX, GO Easy Tunnel (GOST), and Wstunnel, in addition to RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been discovered to make use of Mimikatz, whereas lateral motion is completed utilizing a customized distant desktop protocol (RDP) launcher and C# implementation of SMBExec referred to as Sharp-SMBExec.
“The first entry vector used on this marketing campaign had been vulnerabilities in internet-facing IIS functions,” Pattern Micro mentioned. “Organizations ought to prioritize making use of the newest security updates and cumulative patches to Microsoft Trade and any net functions hosted on IIS.”
“In situations the place quick patching will not be possible, we strongly suggest deploying Intrusion Prevention Methods (IPS) or Net Software Firewalls (WAF) with rulesets particularly tuned to dam exploit makes an attempt in opposition to these recognized CVEs (Digital Patching).”
GLITTER CARP and SEQUIN CARP Go After Activists and Journalists
The disclosure comes because the Citizen Lab flagged a brand new phishing marketing campaign undertaken by two distinct China-affiliated menace actors focusing on and impersonating journalists and civil society, together with Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. The wide-ranging campaigns had been first detected in April and June 2025, respectively.
The clusters have been codenamed GLITTER CARP, which has singled out the Worldwide Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP, whose essential goal was ICIJ journalist Scilla Alecci and different worldwide journalists writing about subjects of vital curiosity to the Chinese language authorities.
“The actor employs well-thought-out digital impersonation schemes in phishing emails, together with impersonation of recognized people and tech firm security alerts,” the Citizen Lab mentioned. “Though the focused teams fluctuate, this exercise employs the identical infrastructure and techniques throughout all instances, regularly reusing the identical domains and similar impersonated people throughout a number of targets.”
GLITTER CARP, in addition to conducting broad-scale phishing assaults, has been tied to phishing campaigns focusing on the Taiwanese semiconductor business. Some points of those efforts had been beforehand documented by Proofpoint in July 2025 beneath the title UNK_SparkyCarp. SEQUIN CARP, alternatively, shares similarities with a bunch tracked by Volexity as UTA0388 and an intrusion set detailed by Pattern Micro as TAOTH.
The tip purpose of the campaigns is to acquire preliminary entry to email-based accounts by way of credential harvesting, phishing pages, or by socially engineering the goal into granting entry to a third-party OAuth token. GLITTER CARP’s phishing emails additionally contain using 1×1 monitoring pixels that time to a URL on the attacker’s area to collect system info and ensure in the event that they had been opened by the recipients.
The Citizen Lab mentioned it “noticed concurrent focusing on of particular organizations utilizing each the AiTM phishing package (GLITTER CARP, UNK_SparkyCarp) and the supply of HealthKick utilizing completely different phishing techniques by a separate group (UNK_DropPitch).” This means some stage of overlap between these teams, it added, though the exact nature of the connection stays unknown.
“Our evaluation of the GLITTER CARP and SEQUIN CARP assaults exhibits that digital transnational repression more and more operates by means of a distributed community of actors,” the analysis unit mentioned. “The targets we recognized in each GLITTER CARP and SEQUIN CARP align with the intelligence priorities of the Chinese language authorities.”
“The breadth of focusing on documented on this report and by others, mixed with the out there info on China’s previous and present use of contractors which mirrors the exercise we now have noticed, suggests with a medium stage of confidence that business entities employed by the Chinese language state might have been behind each clusters of exercise described right here.”
