Researchers disclosed a China-aligned espionage campaign tracked as SHADOW-EARTH-053 that has targeted government and defense organizations across South, East, and Southeast Asia and Poland, using web shells and ShadowPad implants. The actors exploit N-day Exchange and IIS vulnerabilities, deploy Godzilla web shells and DLL sideloading, use tunneling tools and credential-stealing utilities, and Citizen Lab separately identified GLITTER CARP and SEQUIN CARP phishing campaigns targeting journalists and activists. #SHADOW-EARTH-053 #ShadowPad
Keypoints
- Trend Micro attributes a China-aligned espionage campaign to SHADOW-EARTH-053 targeting government and defense sectors across Asia and Poland.
- Attackers exploit N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers to drop Godzilla web shells for persistence.
- ShadowPad backdoors are staged via DLL sideloading and delivered using AnyDesk, with additional use of IOX, GOST, Wstunnel, RingQ, and Noodle RAT variants.
- Citizen Lab flagged GLITTER CARP and SEQUIN CARP phishing operations impersonating journalists and tech alerts to target activists and reporters.
- Organizations are advised to apply Exchange/IIS patches immediately or deploy IPS/WAF virtual patching and monitoring to block exploit attempts.
Read More: https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html