China-Linked Cyber Espionage Campaign Targets Asian Governments, Defence Networks

New Delhi: A new report has revealed a wide-ranging cyber espionage campaign, allegedly backed by China-linked threat actors, targeting government and defence sectors across Asia and even reaching a NATO member in Europe.

According to findings published by The Hacker News, the activity has been traced to a threat cluster identified as “SHADOW-EARTH-053,” believed to be active since December 2024. Researchers say the group shares similarities with previously known cyber-espionage outfits like Earth Alux and REF7707.

The attackers primarily exploit vulnerabilities in Microsoft Exchange Server and Internet Information Services (IIS), targeting systems that have not been patched. Once inside, they deploy web shells to maintain long-term access and install advanced malware such as ShadowPad.

Countries reportedly affected include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, and Pakistan. In Europe, Poland has been identified as the only impacted country so far.

The report highlights the use of sophisticated tools and techniques. Hackers deploy web shells like “Godzilla” for remote access and use DLL side-loading methods to stealthily install malware. They often rely on legitimate signed applications to bypass security systems.

After breaching networks, the attackers conduct reconnaissance and move laterally using tools such as Mimikatz, along with custom remote desktop protocol launchers. In certain cases, they have also exploited a vulnerability known as “React2Shell” to spread a Linux-based remote access trojan called Noodle RAT.

Further analysis links the campaign to another threat group tracked as “UNC6595,” with overlaps also observed with a separate cluster named “SHADOW-EARTH-054.” Some targets—especially in Malaysia, Sri Lanka, and Myanmar—appear to have been compromised previously, though direct coordination between the groups has not been confirmed.

To remain undetected, attackers reportedly used tunnelling tools like IOX, GOST, and Wstunnel, along with packing utilities to disguise malicious files.

Cybersecurity firm Trend Micro has advised organisations to urgently patch vulnerabilities in Exchange and IIS systems. Where immediate updates aren’t possible, deploying intrusion prevention systems or web application firewalls is recommended.

Meanwhile, researchers have also flagged phishing campaigns by two other China-linked groups, “GLITTER CARP” and “SEQUIN CARP,” which targeted journalists and civil society organisations. These campaigns, observed in April and June 2025, used impersonation tactics to steal login credentials and gain access to sensitive accounts.

With inputs from IANS