China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists
مجموعات تجسس تابعة للصين كتستهدف حكومات وصحفيين ونشطاء: شنو خاص المحترفين د الـ IT فالمغرب يعرفو
China-Linked Espionage Groups Target Global Governments, Journalists, and Activists: What Moroccan IT Pros Need to Know
In the rapidly evolving landscape of global cyber espionage, a series of sophisticated campaigns linked to China-aligned threat actors has recently come to light. These operations, tracked by major cybersecurity firms including Trend Micro, Google Threat Intelligence Group (GTIG), and Proofpoint, represent a significant threat to government infrastructure, the defense sector, and civil society.
TL;DR
New espionage campaigns by actors like SHADOW-EARTH-053 and GLITTER CARP are exploiting N-day vulnerabilities in Microsoft Exchange and IIS to breach government and defense sectors globally. These groups utilize advanced tools like the ShadowPad backdoor and Godzilla web shells for persistence and data theft. Meanwhile, other clusters are conducting "transnational repression" by targeting journalists and activists using sophisticated phishing and OAuth token abuse.
The Rise of SHADOW-EARTH-053
Cybersecurity researchers from Trend Micro have identified a new threat cluster designated as SHADOW-EARTH-053. While this group has been active since at least December 2024, its operational footprint has expanded significantly throughout 2025.
The group primarily targets government and defense sectors across South, East, and Southeast Asia—including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. Notably, the campaign has also reached Europe, with a confirmed victimology footprint in Poland, a prominent NATO member state.
There is significant technical overlap between this group and other known entities such as Earth Alux, CL-STA-0049, and REF7707. Interestingly, researchers observed that nearly half of SHADOW-EARTH-053's targets had been previously compromised by a related cluster dubbed SHADOW-EARTH-054, though direct operational coordination between the two remains unconfirmed.
Technical Breakdown: The Attack Chain
For Moroccan sysadmins and security practitioners, understanding the entry vectors is critical. The attackers rely on "N-day" vulnerabilities—known flaws for which patches are already available but have not been applied by the target organization.
- Initial Access: The primary entry vector involves exploiting vulnerabilities in internet-facing Microsoft Exchange servers (such as the ProxyLogon chain) and Internet Information Services (IIS) applications.
- Persistence: Once inside, the group deploys the Godzilla web shell.
- Technical Note: A web shell is a malicious script uploaded to a server that allows an attacker to execute commands remotely via a web browser.
- Backdoor Deployment: Using DLL side-loading (a technique where a malicious DLL is placed in a directory to be loaded by a legitimate, signed executable), the group installs the ShadowPad backdoor.
- Lateral Movement & Tooling: The attackers use a variety of open-source and custom tools:
- AnyDesk: For remote access.
- Mimikatz: To harvest credentials and escalate privileges.
- Sharp-SMBExec: A custom C# tool used for lateral movement across the network.
- Noodle RAT: In some cases, a Linux version of this Remote Access Trojan was distributed by exploiting CVE-2025-55182 in React2Shell.
- Tunneling: Tools like IOX, GOST, and Wstunnel are used to bypass network restrictions.
Transnational Repression: Targeting Journalists and Activists
Parallel to the infrastructure attacks, another set of actors—GLITTER CARP (also known as UNK_SparkyCarp) and SEQUIN CARP (UTA0388)—is focusing on human targets.
This "transnational repression" campaign targets the International Consortium of Investigative Journalists (ICIJ), and diaspora activists from Hong Kong, Tibet, and Taiwan. The goal is simple: total access to the target's communications.
The attackers use highly convincing phishing schemes, including:
- Impersonation: Creating emails that look like security alerts from major tech companies or messages from known associates.
- AiTM Phishing Kits: Adversary-in-the-Middle kits used to bypass multi-factor authentication.
- OAuth Token Abuse: Socially engineering targets into granting a malicious third-party app access to their email accounts, bypassing the need for a password entirely.
- Tracking Pixels: 1x1 invisible images used in emails to gather device information and confirm the recipient's identity.
Attribution and the Role of Contractors
Research from Citizen Lab suggests a shift in how these operations are managed. There is a "medium level of confidence" that these clusters may be commercial entities—private companies hired by the Chinese state to carry out intelligence priorities.
While the targeting of civil society is a longstanding feature of these groups, their reach into the U.S. legal sector, academic institutions, and the Taiwanese semiconductor industry shows the broad scope of their mandates.
Recommendations for Security Professionals
To defend against these specific threat actors, organizations must move beyond basic security and focus on vulnerability management:
- Prioritize Patching: Immediately apply cumulative patches for Microsoft Exchange and all web applications hosted on IIS.
- Virtual Patching: If immediate patching is not possible, deploy Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) with specific rulesets tuned to block known CVE exploits.
- Identity Security: Protect email accounts against credential harvesting and specifically monitor for unauthorized OAuth token grants.
- Monitor for Side-Loading: Use EDR (Endpoint Detection and Response) tools to detect unusual DLL loading behavior from legitimate signed executables.
Conclusion
The activities of SHADOW-EARTH-053 and its affiliated clusters highlight a persistent reality in cybersecurity: attackers do not always need "Zero-Days" to succeed. By exploiting late patching cycles (N-days) and human psychology through phishing, these groups have successfully breached high-value targets across the globe. For the Moroccan tech community, this serves as a reminder that robust patch management and identity protection are the first lines of defense against state-aligned espionage.
Source: China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists (Published May 2, 2026)
