China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

Trend Micro’s latest attribution reveals a China‑aligned espionage group, labeled SHADOW‑EARTH‑053, actively compromising government and defense networks across South, East and Southeast Asia since at least December 2024. The actors weaponize unpatched Microsoft Exchange and IIS servers, installing Godzilla web shells that deliver the ShadowPad backdoor through DLL sideloading of signed executables. Victims include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and, uniquely among NATO members, Poland. Over half of the compromised entities were previously hit by the related SHADOW‑EARTH‑054 set, suggesting a persistent threat landscape.

In parallel, Citizen Lab identified two phishing clusters—GLITTER CARP and SEQUIN CARP—directed at journalists, civil‑society activists and the Taiwanese semiconductor sector. The campaigns impersonate trusted contacts and tech‑company alerts, embed 1×1 tracking pixels, and reuse domains across operations, enabling credential harvesting and OAuth token abuse. GLITTER CARP has pursued members of the International Consortium of Investigative Journalists, while SEQUIN CARP focused on ICIJ reporter Scilla Alecci and other reporters covering China‑sensitive topics. These operations illustrate a coordinated transnational repression effort that blends traditional espionage with influence‑campaign tactics.

The disclosures underscore the urgency for affected ministries and enterprises to apply the latest Exchange and IIS patches, deploy intrusion‑prevention systems and web‑application firewalls tuned to known CVEs, and monitor for anomalous web‑shell activity. Open‑source tunneling tools such as GOST and Wstunnel, along with legitimate binaries repackaged by RingQ, further complicate detection, prompting a shift toward behavioral analytics and endpoint‑detection‑and‑response solutions. As Chinese cyber operations increasingly blend state‑directed espionage with covert influence campaigns, policymakers must consider coordinated attribution frameworks and investment in cyber‑resilience to protect critical infrastructure and press freedom.