ACCORDING to Trend Micro, researchers have disclosed a China-aligned espionage campaign dubbed SHADOW-EARTH-053 that targets government and defence sectors across South, East and Southeast Asia, plus one NATO country. The group is described as active since at least December 2024 and shares some network overlap with CL-STA-0049, Earth Alux and REF7707.
The campaign begins with exploiting known flaws in internet-facing Microsoft Exchange and IIS servers, then deploying web shells such as Godzilla to establish persistent access before dropping ShadowPad implants via DLL sideloading and later deploying the ShadowPad backdoor through an AnyDesk delivery chain; the toolchain also includes the weaponisation of React2Shell (CVE-2025-55182) to distribute a Linux version of Noodle RAT.
Targets include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka and Taiwan, with Poland noted as the lone European victim in the footprint. GLITTER CARP and SEQUIN CARP are described by the Citizen Lab as China-affiliated phishing clusters targeting journalists and activists, using impersonation and a shared infrastructure, domains and delivery methods across cases.
The analysis also notes the use of open-source tunnelling tools and other utilities to evade detection, with Mimikatz used for privilege escalation and Sharp-SMBExec for lateral movement.