1 Campaign, 2 Targets: China’s Cyber Operations Hit Asian Governments and Dissidents Abroad

The Shadow‑Earth‑053 operation, uncovered by Trend Micro, illustrates a sophisticated blend of traditional state espionage and targeted repression of diaspora voices. By compromising vulnerable Microsoft Exchange and IIS servers and deploying a previously unknown Linux exploit, the actors gained long‑term footholds in government networks across South and Southeast Asia. Simultaneously, the Glitter Carp and Sequin Carp phishing streams harvested credentials from Uyghur, Tibetan, Taiwanese and Hong Kong critics, turning cyber tools into instruments of transnational silencing.

Strategically, the campaign signals the payoff of China’s 2024 restructuring that birthed a dedicated Cyberspace Force. Consolidating cyber, space and electronic‑warfare units under a single command has accelerated tool development, doubled zero‑day usage, and expanded targeting to edge devices like routers and VPNs. With a 2026 defense budget of roughly $275 billion and a declared goal of cyber parity with the United States, Beijing now fields an offensive capability that can infiltrate key allies such as India—central to the Quad—and even a NATO member, Poland, threatening joint defense planning and supply chains supporting Ukraine.

Policymakers must move beyond patching vulnerabilities to build real‑time threat‑sharing frameworks across the Quad and NATO, and to adopt unified protections for at‑risk journalists and exiled activists. Sanctions on private contractors that enable covert tool testing could impose tangible costs on Beijing’s gray‑zone playbook. As China continues to fuse intelligence collection with political coercion, a coordinated diplomatic and cyber‑resilience response will be essential to preserve democratic information flows and maintain strategic advantage in the Indo‑Pacific and beyond.