Trend Micro and Citizen Lab have identified multiple China-aligned threat actors conducting widespread espionage campaigns against government, defense, and civil society targets across Asia, Europe, and the U.S.

Key Points

• Trend Micro identified the SHADOW-EARTH-053 cluster, which exploits N-day vulnerabilities in Microsoft Exchange and IIS servers to deploy web shells and the ShadowPad backdoor.
• Targeted nations include India, Malaysia, Pakistan, Sri Lanka, Myanmar, Thailand, Taiwan, and Poland, with attacks active since at least December 2024.
• Citizen Lab reported that groups codenamed GLITTER CARP and SEQUIN CARP are using sophisticated phishing and impersonation to target journalists and diaspora activists.
• Attackers utilize various tools for persistence and evasion, including Godzilla web shells, Noodle RAT, Mimikatz, and open-source tunneling software like IOX and GOST.
• Researchers suggest these campaigns likely involve commercial entities contracted by the Chinese state to conduct transnational repression and intelligence gathering.

Why it Matters

These coordinated campaigns highlight a significant escalation in digital espionage, threatening both national security infrastructure and the safety of international journalists and activists. Organizations must prioritize patching internet-facing servers and implementing robust web application firewalls to defend against these persistent, state-aligned threat actors.