China-backed hackers breach Asian govts, defence sectors in fresh cyber espionage push

Share:
Audio Loading voice…
China-backed hackers breach Asian govts, defence sectors in fresh cyber espionage push

Synopsis

A China-aligned hacker group has launched a coordinated cyber espionage campaign targeting government and defence sectors across seven Asian nations plus Poland, exploiting unpatched Microsoft Exchange and IIS systems since December 2024. The SHADOW-EARTH-053 cluster deploys ShadowPad malware and web shells for persistent access, with overlaps suggesting possible coordination with UNC6595 and parallel phishing operations by related groups.

Key Takeaways

China-aligned hackers attributed to 'SHADOW-EARTH-053' have targeted government and defence sectors in India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, Pakistan and Poland since December 2024 .
The campaign exploits known vulnerabilities in Microsoft Exchange Server and IIS systems to breach unpatched networks and deploy ShadowPad malware.
Attackers use web shells like 'Godzilla' and open-source tunnelling tools such as IOX, GOST and Wstunnel to maintain persistence and evade detection.
Parallel phishing campaigns by 'GLITTER CARP' and 'SEQUIN CARP' target journalists and civil society groups, detected in April and June 2025 .
Trend Micro recommends immediate patching of Microsoft Exchange and IIS systems and deployment of intrusion prevention solutions.

China-aligned hackers have targeted government and defence sectors across South, East and Southeast Asia, along with Poland, a NATO member in Europe, in a fresh cyber espionage campaign, according to a report by The Hacker News. The activity has been attributed to a threat cluster tracked as 'SHADOW-EARTH-053', which researchers assess has been active since at least December 2024, and shares overlaps with previously identified groups such as Earth Alux and REF7707.

Attack methodology and tools

The campaign primarily exploits known vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services (IIS) systems to breach unpatched networks. Attackers deploy web shells such as 'Godzilla' to maintain remote access and later install the ShadowPad malware using DLL side-loading techniques, often leveraging legitimate signed executables to evade detection. In some cases, the campaign also involved exploitation of a vulnerability dubbed 'React2Shell' to distribute a Linux variant of Noodle RAT, a remote access trojan.

Geographic scope and targets

Countries targeted include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan and Pakistan, while Poland was identified as the only European nation affected. The report noted overlaps with another intrusion set, 'SHADOW-EARTH-054', with nearly half of the observed targets — particularly in Malaysia, Sri Lanka and Myanmar — previously compromised, though no direct operational coordination has been confirmed.

Reconnaissance and persistence tactics

The intrusions begin with exploitation of security flaws to gain initial access, followed by reconnaissance and lateral movement using tools such as Mimikatz and custom remote desktop protocol launchers. To evade detection and maintain persistence, the attackers also used open-source tunnelling tools such as IOX, GOST and Wstunnel, along with packing utilities to conceal malicious binaries. The attack chain has been linked by other researchers to a group known as 'UNC6595'.

Parallel phishing campaigns

Meanwhile, researchers flagged phishing campaigns by two other China-linked groups, dubbed 'GLITTER CARP' and 'SEQUIN CARP', targeting journalists and civil society groups. The campaigns, first detected in April and June 2025, impersonated journalists, organisations and technology firms in phishing emails aimed at stealing credentials or gaining access to accounts.

Recommended defences

Trend Micro advised organisations to prioritise patching of Microsoft Exchange and IIS systems and deploy intrusion prevention or web application firewall solutions where immediate updates are not feasible. Security experts emphasise that N-day vulnerabilities remain a critical entry vector for state-sponsored threat actors, particularly against government and defence infrastructure.

Point of View

Patchable vulnerabilities — not zero-days — suggests either confidence in slow patch cycles or deliberate choice to avoid burning high-value exploits. For India and other South Asian nations, the message is blunt: unpatched Exchange and IIS servers are now treated as open doors by Beijing-aligned groups. The parallel phishing operations targeting journalists hint at a broader intelligence-gathering mandate, not just tactical network access.
NationPress
13 Jul 2026

Frequently Asked Questions

What is SHADOW-EARTH-053 and which countries has it targeted?
SHADOW-EARTH-053 is a China-aligned threat cluster active since at least December 2024, attributed by researchers to have targeted government and defence sectors across India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, Pakistan and Poland. The group is assessed to share overlaps with previously identified groups such as Earth Alux and REF7707.
How do the attackers gain initial access to networks?
The campaign primarily exploits known vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services (IIS) systems to breach unpatched networks. Once inside, attackers deploy web shells such as 'Godzilla' to maintain remote access and later install the ShadowPad malware using DLL side-loading techniques.
What is ShadowPad and how does it work?
ShadowPad is a malware implant deployed by SHADOW-EARTH-053 after initial network compromise. Attackers use DLL side-loading techniques and legitimate signed executables to evade detection, enabling persistent remote access to compromised systems.
Are there other related hacker groups involved in these campaigns?
Yes, researchers have identified overlaps with UNC6595 and another intrusion set called SHADOW-EARTH-054. Additionally, two other China-linked groups, GLITTER CARP and SEQUIN CARP, are conducting parallel phishing campaigns targeting journalists and civil society groups, detected in April and June 2025.
What defences are recommended against these attacks?
Trend Micro advises organisations to prioritise immediate patching of Microsoft Exchange and IIS systems. Where immediate updates are not feasible, organisations should deploy intrusion prevention or web application firewall solutions to block exploitation attempts.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 2 weeks ago
  2. 1 month ago
  3. 1 month ago
  4. 3 months ago
  5. 4 months ago
  6. 5 months ago
  7. 8 months ago
  8. 1 year ago
Google Prefer NP
On Google