INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.

Chinese Hackers Target Governments, State and Journalists

| 2026-04-30 11:00 CRITICAL HIGH
JSON
Executive Summary AI-generated
China-linked hackers have launched a new espionage campaign targeting governments, defense sectors and civil society organizations across South, East, and Southeast Asia. The campaigns include phishing attacks, command execution via web shells, and the deployment of ShadowPad backdoors through AnyDesk. Targets include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. A cybersecurity vendor has observed nearly half of these targets being compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054. The campaigns also involve digital impersonation schemes in phishing emails and the use of Mimikatz malware to facilitate privilege escalation.
Technical Mitigations AI-generated
* Apply the latest security updates and cumulative patches to Microsoft Exchange: Trend Micro recommends prioritizing applying the latest security updates and cumulative patches to Microsoft Exchange, as vulnerabilities in internet-facing IIS applications can be exploited by China-linked hackers. * Use Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF): Organizations should strongly recommend deploying IPS or WAFs with rulesets specifically tuned to block exploit attempts against known CVEs (Virtual Patching). * Implement a web application firewall: A web application firewall can help prevent attacks by blocking malicious traffic and protecting against vulnerabilities in internet-facing applications. * Use secure protocols for remote access: Implement secure remote desktop protocol (RDP) launchers, such as RingQ, to pack malicious binaries and evade detection. Use alternative protocols like SSH or VPNs instead of RDP. * Monitor network activity for suspicious behavior: Regularly monitor network activity for suspicious behavior, including phishing campaigns, malware infections, and unauthorized access attempts.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Volt TyphoonVolt TyphoonAPT41APT41Salt TyphoonSalt Typhoon ShadowPadShadowPad CVE-2021-26857CVE-2021-26857 CVE-2025-55182CVE-2025-55182 CVE-2021-26855CVE-2021-26855 CVE-2021-26858CVE-2021-26858 CVE-2021-27065CVE-2021-27065
Target & Sectors
SOUTH_ASIA SOUTH_ASIA NORTH_AMERICA NORTH_AMERICA ASEAN ASEAN governmentgovernment energyenergy technologytechnology defensedefense telecommunicationstelecommunications transportationtransportation
Incident Timeline
‎mid-2021
China-linked hackers exploited vulnerabilities in US critical infrastructure to target governments, journalists, and activists.
target_region United States
And Volt followed in mid-2021, burrowing deep into critical US networks to preposition for future destructive attacks .
‎late 2023
China-linked hackers were first discovered targeting Asian governments and NATO state in late 2023.
‎at least December 2024
Threat actors used a China-linked hacking collective to target Asian governments, NATO state journalists and activists.
‎December 2024
Threat actors used the React2Shell exploit to target Asian governments, NATO state, journalists, and activists.
source_region China
Exclusive A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.
source_region Poland
Exclusive A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.
organisation Uyghur
" GLITTER CARP and SEQUIN CARP Go After Activists and Journalists The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists.
organisation SHADOW
The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed.
organisation AnyDesk
The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk.
organisation Microsoft Exchange
"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis.
organisation Internet Information Services
"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis.
organisation ProxyLogon
"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis.
organisation DLL
"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis.
infrastructure Linux
In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT).
organisation ANGRYREBEL
In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT).
organisation Intrusion Prevention Systems
"Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS." "In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching).
organisation Virtual Patching
"Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS." "In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching).
‎July 2025
China-linked hackers targeted Asian governments, NATO states, journalists, and activists using phishing emails with 1x1 tracking pixels.
organisation UNK_SparkyCarp
Some aspects of these efforts were previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp.
organisation The Citizen Lab
The Citizen Lab said it "observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch)."
organisation HealthKick
The Citizen Lab said it "observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch)."
organisation SEQUIN
SEQUIN CARP, on the other hand, shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH .
‎April and June 2025
Threat actors used phishing campaigns to target Asian governments, NATO state journalists and activists in April 2025.
‎2026/05/01
China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists.
organisation NATO State
China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists.
infrastructure Linux
Shadow-y malware and legit Windows tools In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole:
infrastructure Windows
Shadow-y malware and legit Windows tools In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole:
In some instances, the group renamed legitimate Windows system binaries to evade process-based detection.
To move laterally through victim environments, Shadow-Earth-053 uses Windows Management Instrumentation Command-line (WMIC) and installs backdoors onto additional hosts.
organisation Microsoft
Shadow-y malware and legit Windows tools In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole:
organisation Palo Alto Networks'
The 054 group has some network overlaps with Chinese crews tracked as CL-STA-0049 by Palo Alto Networks' Unit 42, REF7707 by Elastic Security Labs, and Earth Alux .
organisation Elastic Security Labs
The 054 group has some network overlaps with Chinese crews tracked as CL-STA-0049 by Palo Alto Networks' Unit 42, REF7707 by Elastic Security Labs, and Earth Alux .
threat_actor Salt Typhoon
Tom Kellermann, TrendAI VP of AI security and threat research, likened the new Chinese groups to Salt Typhoon and Volt Typhoon .
Salt Typhoon and other Chinese government snoops also abused ProxyLogon to breach critical US networks back in 2021, when it was first disclosed, and it's remained a top-exploited vulnerability ever since .
threat_actor Volt Typhoon
Tom Kellermann, TrendAI VP of AI security and threat research, likened the new Chinese groups to Salt Typhoon and Volt Typhoon .
threat_actor APT41
In "multiple" of these intrusions, they compromised victim organizations up to 8 months before deploying ShadowPad , a custom backdoor used by China's APT41 for almost a decade, and shared among multiple China-aligned groups since 2019.
organisation GitHub
In one victim's environment, TrendAI detected RingQ, an open-source tool developed in China and available on GitHub that can be used to pack malicious binaries to evade detection by security solutions.
organisation Microsoft Exchange Servers
The Chinese spies typically gain initial access to victim environments via vulnerable Microsoft Exchange Servers.
organisation NATO
Targeting Poland, a NATO country, "highlights how cyber espionage and a cyber warfare is burgeoning," Kellermann said.
organisation AnyDesk
In one instance, the snoops delivered ShadowPad malware via legitimate, and popular, remote desktop tool AnyDesk.
organisation Trend Micro
Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053 .
organisation Microsoft Exchange
The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite.
organisation ProxyLogon
The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite.
organisation DNS
The intruders also use domain names that impersonate products, security companies, or are related to the DNS protocol.
organisation Shadow-Earth-054
About half of the victims were also compromised by a related group, Shadow-Earth-054, which exploited the same vulnerabilities and shared identical tool hashes and overlapping techniques with Shadow-Earth-053.
organisation Shadow-Earth-053
About half of the victims were also compromised by a related group, Shadow-Earth-054, which exploited the same vulnerabilities and shared identical tool hashes and overlapping techniques with Shadow-Earth-053.
organisation Shadow-Earth-053's
"They're following in the footsteps of the Typhoon campaigns, they look like the younger brother and sister of the Typhoon campaigns, and they're island-hopping through the defense sectors and ministries of those nations for a reason." Shadow-Earth-053's victims spanned at least eight countries, according to TrendAI's investigation.
organisation Exchange
So if you haven't already: patch these Exchange server bugs.
‎May 14
China-linked hackers targeted Asian governments, NATO state, journalists, and activists on May 14.
general_metric 15 May
"Here we are, leading up to the May 14 and 15 meeting between President Trump and President Xi and, God forbid, the 15th goes sideways.
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
Shadow-y malware and legit Windows tools In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole:
In some instances, the group renamed legitimate Windows system binaries to evade process-based detection.
To move laterally through victim environments, Shadow-Earth-053 uses Windows Management Instrumentation Command-line (WMIC) and installs backdoors onto additional hosts.
Metrics
infrastructure
‎Linux
Affected Product
Shadow-y malware and legit Windows tools In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole:
In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT).
Intelligence Sources
The Register - Cybercrime 2026-04-30
The Hacker News 2026-05-01
The Register - Cybercrime 2026-04-30