Cybersecurity researchers have uncovered a sophisticated espionage campaign originating from China, targeting critical infrastructure and government entities across multiple continents. ### SHADOW-EARTH-053: Espionage Across Continents **Trend Micro** has identified the threat activity cluster as **SHADOW-EARTH-053**, noting its activity since at least December 2024. The group shares network overlaps with other known threat actors, including CL-STA-0049, Earth Alux, and REF7707. According to researchers Daniel Lunghi and Lucas Silva, the group exploits N-day vulnerabilities in internet-facing **Microsoft Exchange** and Internet Information Services (**IIS**) servers, leveraging vulnerabilities like **ProxyLogon**. They then deploy web shells, such as **Godzilla**, for persistent access and stage **ShadowPad** implants via DLL sideloading of legitimate signed executables. Targets include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with Poland being the single identified European nation. ### Attack Chain and Tactics The initial breach involves exploiting known security flaws to compromise unpatched systems, followed by deploying web shells like Godzilla for persistent remote access. These web shells serve as a launchpad for command execution, reconnaissance, and the eventual deployment of the ShadowPad backdoor via **AnyDesk**. The malware is launched using DLL side-loading techniques. In one instance, the **React2Shell** vulnerability (**CVE-2025-55182**) was reportedly used to distribute a Linux version of **Noodle RAT** (aka ANGRYREBEL and Nood RAT). The **Google Threat Intelligence Group (GTIG)** has linked this specific attack chain to a group known as UNC6595.  Open-source tunneling tools like IOX, GO Simple Tunnel (GOST), and Wstunnel are also employed, along with **RingQ** for packing malicious binaries and evading detection. For privilege escalation, **SHADOW-EARTH-053** utilizes **Mimikatz**, while lateral movement is facilitated through a custom remote desktop protocol (RDP) launcher and a C# implementation of SMBExec known as [Sharp-SMBExec](https://github.com/checkymander/Sharp-SMBExec/). ### Mitigation Strategies "The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications," Trend Micro stated. They recommend prioritizing the application of the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS. In cases where immediate patching is not possible, deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically designed to block exploit attempts against known CVEs is strongly advised (Virtual Patching). ### GLITTER CARP and SEQUIN CARP Target Activists and Journalists **Citizen Lab** has also reported a new phishing campaign by two distinct China-affiliated threat actors targeting journalists and civil society, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. These campaigns were detected in April and June 2025. The clusters are named **GLITTER CARP**, which has targeted the International Consortium of Investigative Journalists (**ICIJ**), and **SEQUIN CARP**, whose main target was ICIJ journalist Scilla Alecci and other international journalists writing about topics of critical interest to the Chinese government.  Citizen Lab notes that the actors employ sophisticated digital impersonation schemes in phishing emails, including impersonating known individuals and tech company security alerts. Despite varying targeted groups, the activity uses consistent infrastructure and tactics, frequently reusing the same domains and impersonated individuals across multiple targets. **GLITTER CARP**, in addition to broad-scale phishing attacks, has been linked to phishing campaigns targeting the Taiwanese semiconductor industry. **SEQUIN CARP** shares similarities with a group tracked by **Volexity** as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH. The campaigns aim to gain initial access to email-based accounts via credential harvesting, phishing pages, or social engineering to trick targets into granting access to a third-party OAuth token. GLITTER CARP's phishing emails also use 1x1 tracking pixels to gather device information and confirm if emails were opened. Citizen Lab observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick, indicating potential overlap between these groups, although the exact relationship remains unclear. The research unit concludes that digital transnational repression increasingly operates through a distributed network of actors and the targets align with the intelligence priorities of the Chinese government, suggesting the involvement of commercial entities hired by the Chinese state.