Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO.
Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707.
“The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables,” security researchers Daniel Lunghi and Lucas Silva said in an analysis.
Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country that features in the threat actor’s victimology footprint is Poland.
The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed.
The starting point of the attacks is the exploitation of known security flaws to breach unpatched systems and drop web shells like Godzilla to facilitate persistent remote access. The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL side-loading.
In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT). It’s worth mentioning here that the Google Threat Intelligence Group (GTIG) linked this attack chain to a group known as UNC6595.
Also put to use are open-source tunneling tools like the IOX, GO Simple Tunnel (GOST), and Wstunnel, as well as RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been found to use Mimikatz, while lateral movement is accomplished using a custom remote desktop protocol (RDP) launcher and C# implementation of SMBExec known as Sharp-SMBExec.
“The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications,” Trend Micro said. “Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS.”
“In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching).”
GLITTER CARP and SEQUIN CARP Go After Activists and Journalists
The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. The wide-ranging campaigns were first detected in April and June 2025, respectively.
The clusters have been codenamed GLITTER CARP, which has singled out the International Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP, whose main target was ICIJ journalist Scilla Alecci and other international journalists writing about topics of critical interest to the Chinese government.
“The actor employs well-thought-out digital impersonation schemes in phishing emails, including impersonation of known individuals and tech company security alerts,” the Citizen Lab said. “Although the targeted groups vary, this activity employs the same infrastructure and tactics across all cases, frequently reusing the same domains and same impersonated individuals across multiple targets.”
GLITTER CARP, besides conducting broad-scale phishing attacks, has been tied to phishing campaigns targeting the Taiwanese semiconductor industry. Some aspects of these efforts were previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP (aka UNK_DualTone), on the other hand, shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH.
The end goal of the campaigns is to obtain initial access to email-based accounts via credential harvesting, phishing pages, or by socially engineering the target into granting access to a third-party OAuth token. GLITTER CARP’s phishing emails also involve the use of 1×1 tracking pixels that point to a URL on the attacker’s domain to gather device information and confirm if they were opened by the recipients.
The Citizen Lab said it “observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch).” This indicates some level of overlap between these groups, it added, although the precise nature of the relationship remains unknown.
“Our analysis of the GLITTER CARP and SEQUIN CARP attacks shows that digital transnational repression increasingly operates through a distributed network of actors,” the research unit said. “The targets we identified in both GLITTER CARP and SEQUIN CARP align with the intelligence priorities of the Chinese government.”
“The breadth of targeting documented in this report and by others, combined with the available information on China’s past and current use of contractors which mirrors the activity we have observed, suggests with a medium level of confidence that commercial entities hired by the Chinese state may have been behind both clusters of activity described here.”
When reached for comment, Mark Kelly, staff threat researcher at Proofpoint, told The Hacker News via email that both UNK_SparkyCarp and UNK_DualTone have carried identity-focused phishing activity against a range of targets, characterizing the targeting of civil society members as likely a “longstanding feature of these groups’ targeting” rather than a recent shift.
“We have observed UNK_SparkyCarp (GLITTER CARP) conducting credential phishing activity against academic, political, semiconductor, and legal sector targets in the United States, Europe, and Taiwan,” Kelly added. “We have not observed the group targeting civil society specifically.”
“However, this is very likely a result of our visibility, and we concur with the attribution within Citizen Lab’s reporting. We understand the group has been heavily active in targeting civil society groups of interest to the Chinese government for some time, which is further supported by domains spoofing perceived opposition groups, such as Falun Gong, that date back several years.”
Proofpoint also noted that it has detected UNK_DualTone targeting multiple U.S.-based journalists in May 2025, and that the activity closely aligns with a campaign using lures related to protests planned on the occasion of the U.S. Army 250th Anniversary Parade.
(The story was updated after publication on May 2, 2026, with additional insights from Proofpoint.)
