China-aligned hackers have reportedly targeted government and defence organisations across South, East and Southeast Asia, along with one NATO member in Europe, in a new cyber espionage campaign.
According to a report highlighted by The Hacker News, the activity has been linked to a threat cluster tracked as SHADOW-EARTH-053. Researchers believe the group has been active since at least December 2024 and shares similarities with previously known groups, including Earth Alux and REF7707.
The campaign mainly targets unpatched, internet-facing Microsoft Exchange Server and Internet Information Services systems. Attackers exploit known vulnerabilities in these systems to break into networks, deploy web shells and maintain long-term access.
Countries reportedly targeted include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, and Pakistan. Poland was identified as the only European country affected in the campaign.
Once inside a network, the attackers use web shells such as Godzilla to keep remote access. They then deploy ShadowPad malware through DLL side-loading, often using legitimate signed executables to avoid detection.
Researchers said the attack chain begins with the exploitation of security flaws, followed by reconnaissance and lateral movement. Tools such as Mimikatz and custom remote desktop protocol launchers were also used during the intrusions.
In some cases, attackers also exploited a vulnerability known as React2Shell to spread a Linux version of Noodle RAT, a remote access trojan. Other researchers have linked parts of the campaign to a group known as UNC6595.
The report also found overlaps with another intrusion set called SHADOW-EARTH-054. Nearly half of the observed targets, especially in Malaysia, Sri Lanka, and Myanmar, had reportedly been compromised before. However, researchers have not confirmed direct coordination between the two groups.
To stay hidden and maintain access, the attackers used open-source tunnelling tools such as IOX, GOST and Wstunnel. They also used packing tools to hide malicious files and make detection more difficult.
Trend Micro has advised organisations to patch Microsoft Exchange and IIS systems quickly. Where immediate updates are not possible, companies should use intrusion prevention systems or web application firewalls to reduce the risk of attack.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The report also mentioned separate phishing campaigns by two other China-linked groups, known as GLITTER CARP and SEQUIN CARP. These campaigns targeted journalists and civil society groups by impersonating journalists, organisations, and technology companies in emails designed to steal credentials or gain access to accounts.
