A new wave of cyber espionage activity has been detected across multiple regions, with China-aligned hackers targeting government and defence organisations in South, East and Southeast Asia, along with a NATO member in Europe.
The campaign has been attributed to a threat cluster identified as “SHADOW-EARTH-053”, believed to be active since at least December 2024. Researchers noted overlaps with previously tracked groups such as Earth Alux and REF7707, indicating evolving but connected threat activity.
The attackers primarily exploit known vulnerabilities in internet-facing systems, including Microsoft Exchange Server and Internet Information Services (IIS). By targeting unpatched networks, they gain initial access and deploy web shells to maintain long-term control.
Countries identified as targets include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan and Pakistan. Poland was the only European nation reported to be affected.
Once inside systems, attackers deploy web shells like “Godzilla” and install ShadowPad malware using DLL side-loading techniques. They often use legitimate signed executables to avoid detection. The attack process typically involves reconnaissance and lateral movement using tools such as Mimikatz and custom remote desktop protocol launchers.
In some cases, the campaign also exploited a vulnerability known as “React2Shell” to distribute a Linux-based version of the Noodle RAT malware. The activity has also been linked by other researchers to a group tracked as “UNC6595”.
The report highlighted overlaps with another threat cluster, “SHADOW-EARTH-054”, with nearly 50% of the affected targets previously compromised, particularly in Malaysia, Sri Lanka and Myanmar. However, no direct operational link has been confirmed.
To maintain persistence and evade detection, attackers used open-source tunnelling tools such as IOX, GOST and Wstunnel, along with packing techniques to hide malicious files. Security experts have advised organisations to prioritise patching of Exchange and IIS systems, and deploy intrusion prevention systems or web application firewalls where immediate updates are not possible.
Separately, researchers identified phishing campaigns linked to two other China-aligned groups, “GLITTER CARP” and “SEQUIN CARP”. Detected in April and June 2025, these campaigns targeted journalists and civil society groups by impersonating media organisations and technology firms to steal credentials and gain account access.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
