Recent investigations by cybersecurity experts have unearthed a China-linked cyber espionage campaign aimed at government and defense sectors across South, East, and Southeast Asia, as well as a NATO member in Europe. The cybersecurity firm Trend Micro attributes these activities to a group they have temporarily named SHADOW-EARTH-053. This group has been active since at least December 2024 and shares some network characteristics with other known threat actors.
Details of the Cyber Espionage Campaign
The group exploits existing vulnerabilities in Microsoft Exchange and Internet Information Services (IIS) servers to gain unauthorized access. These vulnerabilities, such as the ProxyLogon chain, are used to deploy web shells like Godzilla, maintaining persistent access. The attackers then implement ShadowPad implants via DLL sideloading of legitimate signed executables.
The campaign’s targets include nations such as Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with Poland being the sole European target. Trend Micro observed that nearly half of SHADOW-EARTH-053’s targets, particularly in Malaysia, Sri Lanka, and Myanmar, were previously compromised by a related group known as SHADOW-EARTH-054.
Techniques Employed in the Attacks
The attackers start by exploiting known security flaws, dropping web shells to enable persistent remote access. These shells serve as conduits for command execution, reconnaissance, and deploying the ShadowPad backdoor through AnyDesk. In some instances, vulnerabilities like React2Shell are used to distribute Linux versions of malicious software such as Noodle RAT.
The attackers also use various open-source tunneling tools and techniques to evade detection and escalate privileges. Mimikatz is employed for privilege escalation, while lateral movement is facilitated using custom tools. Trend Micro emphasizes the importance of applying the latest security updates to mitigate these threats.
Impact on Journalists and Activists
In a related development, Citizen Lab has identified phishing campaigns by China-affiliated groups targeting journalists and civil society. These campaigns, identified as GLITTER CARP and SEQUIN CARP, impersonate journalists and activists, particularly those focused on sensitive issues related to the Chinese government.
The phishing tactics are sophisticated, involving digital impersonations and the reuse of infrastructure across various targets. The campaigns aim to harvest credentials and gain unauthorized access to email accounts, using techniques such as phishing pages and OAuth token manipulation.
Citizen Lab’s analysis highlights the growing trend of digital transnational repression conducted by distributed networks of actors. The targets align with the intelligence priorities of the Chinese government, suggesting possible involvement of commercial entities hired by the state.
As these cyber threats continue to evolve, nations and organizations must remain vigilant and proactive in enhancing their cybersecurity measures to protect against such espionage activities.
