Researchers have recorded a new China-aligned espionage activity cluster, SHADOW-EARTH-053, targeting government and defense organizations in South, East and Southeast Asia, as well as one NATO country (Poland), leveraging exploitation of vulnerable Microsoft Exchange and IIS and installation of the ShadowPad backdoor. In parallel, other clusters, GLITTER CARP and SEQUIN CARP, are running phishing operations against journalists and activists, which together requires organizations to immediately strengthen patch management of Internet-facing portals and enforce strict access control for email and cloud accounts.
Technical details: from vulnerable IIS to ShadowPad and Noodle RAT
SHADOW-EARTH-053 attack chain
According to Trend Micro, the SHADOW-EARTH-053 cluster has been active since at least December 2024 and uses a playbook typical of mature espionage operations: a combination of exploiting already known (N-day) vulnerabilities and well-thought-out post-exploitation.
Key elements of the chain:
- Initial access: exploitation of known vulnerabilities in Internet-exposed applications running on Microsoft IIS and in Microsoft Exchange, including chains such as ProxyLogon. This provides direct code execution in the context of the application server.
- Persistence via web shell: the compromised servers are outfitted with the Godzilla web shell, which corresponds to the MITRE ATT&CK technique Web Shell. Such a shell only needs standard HTTP/HTTPS traffic, which makes it difficult to filter at the perimeter.
- Reconnaissance and preparation: commands are executed through the web shell to inventory the system and network, laying the groundwork for deploying more sophisticated remote management tools.
- ShadowPad deployment: the final stage is the deployment of the modular ShadowPad backdoor using DLL side-loading via a legitimate signed executable, including AnyDesk. This technique aligns with MITRE ATT&CK technique DLL Side-Loading and significantly reduces the chances of detection thanks to the trusted signature and seemingly routine process behavior.
A separate episode in the campaign demonstrates the flexibility of the tooling: to exploit Linux environments, the attackers used the React2Shell exploit for vulnerability CVE-2025-55182, which enabled the deployment of the Linux variant of Noodle RAT (also known as ANGRYREBEL and Nood RAT). Details on the vulnerability itself are available in the NVD database: NVD: CVE-2025-55182.
Post-exploitation and stealth tools
Once persistence is established, SHADOW-EARTH-053 moves on to vertical and horizontal expansion of the compromise:
- Tunneling and perimeter evasion: open-source tunneling tools IOX, GO Simple Tunnel (GOST), and Wstunnel are used to encapsulate command-and-control traffic in common protocols (typically HTTPS or WebSocket) and bypass network restrictions.
- Binary packing: the RingQ packer is used to complicate static analysis and signature-based detection, making it harder to identify backdoors at the file-scanning level.
- Privilege escalation: Mimikatz is used to extract credentials, which corresponds to the MITRE ATT&CK technique Credential Dumping. Compromise of domain accounts turns a single server incident into a full-blown domain crisis.
- Lateral movement: a custom launcher for the RDP protocol and a C# implementation of the SMBExec tool called Sharp-SMBExec are used, which fall under the technique family Lateral Movement over SMB.
No specific IOCs (IP addresses, domains, hashes) are provided in the campaign description, underscoring that relying solely on static indicators in this case is ineffective; the focus needs to shift toward behavior-based and log-centric monitoring.
GLITTER CARP and SEQUIN CARP: phishing as a tool of transnational pressure
A Citizen Lab study describes two other China-oriented phishing activity clusters — GLITTER CARP and SEQUIN CARP — targeting journalists, international media and activists from Uyghur, Tibetan, Taiwanese and Hong Kong diasporas. These operations do not use complex exploits, but rely on high-grade social engineering and reuse of infrastructure.
Key characteristics:
- Accurate impersonation: the attackers spoof emails from real journalists, industry peers, and even major technology companies (for example, security notifications), creating a trustworthy context.
- Access mechanisms:
- credential harvesting on phishing pages;
- social engineering that convinces the victim to grant account access via a third-party OAuth token;
- use of an adversary-in-the-middle (AiTM) phishing kit that allows interception of session tokens even when multi-factor authentication is enabled.
- Email open tracking: GLITTER CARP campaigns use 1×1 pixel images loaded from attacker-controlled domains to collect information about the device and the fact that the email has been read.
GLITTER CARP has also been linked to phishing attacks on Taiwan’s semiconductor industry (under the name UNK_SparkyCarp in a Proofpoint study), while SEQUIN CARP shows similarities with group UTA0388 (Volexity) and the TAOTH cluster (Trend Micro). Citizen Lab highlights overlaps in infrastructure and techniques among several clusters, pointing to a distributed network of contractors serving state interests.
Threat context and the contractor ecosystem
SHADOW-EARTH-053 shows network overlap with other China-linked clusters tracked as CL-STA-0049, Earth Alux, and REF7707, and the use of React2Shell and Noodle RAT has been associated by Google Threat Intelligence Group with the group UNC6595. At the same time, Trend Micro does not observe direct operational coordination between SHADOW-EARTH-053 and the closely related cluster SHADOW-EARTH-054, although almost half of their targets overlap.
On the other hand, regarding GLITTER CARP and SEQUIN CARP, Citizen Lab points to a “distributed outsourcing” model: different contractors conduct both traditional espionage operations and digital pressure campaigns against diasporas and civil society, with targets clearly aligned with the priorities of Chinese intelligence services. This approach complicates reliable attribution: infrastructure and tools can migrate between groups, and individual developers and operators may participate in multiple projects at once.
Impact assessment
Those most at risk are:
- Government and defense organizations in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and Poland that run Internet-exposed Exchange and IIS and lack a robust process for timely patch management.
- Civil society and media organizations, especially those working on topics sensitive for the Chinese government (corruption, minority rights, the geopolitics of Taiwan and Hong Kong).
Potential consequences of inaction:
- Long-term stealth compromise of infrastructure using ShadowPad and Noodle RAT, leakage of correspondence, documents, procurement plans, and military or foreign policy scenarios.
- Compromise of the domain environment via Mimikatz and lateral movement, followed by complete loss of trust in the Active Directory environment and the need for costly reimplementation.
- Pressure on journalists and activists through interception of email and internal materials, potential smear campaigns or selective “leaks” framed in a way advantageous to the attacker.
Practical defense recommendations
For Exchange/IIS owners and server infrastructure teams
- Immediately bring patches up to date:
- install the latest cumulative updates for Microsoft Exchange and all applications running on IIS;
- check for fixes for CVE-2025-55182 on Linux systems where affected components are deployed (NVD: CVE-2025-55182).
- Apply virtual patching if updates cannot be installed quickly:
- Conduct a web shell hunt:
- inspect IIS and OWA/Exchange virtual directory folders for unknown ASPX, JSP and other scripts;
- analyze IIS logs for anomalous requests to little-known scripts and long encrypted parameters characteristic of Godzilla.
- Detect DLL side-loading and unusual tools:
- monitor the launch of AnyDesk and other signed executables from non-standard paths and with loading of third-party DLLs;
- implement EDR/SIEM rules to detect execution of Mimikatz, tunneling utilities (GOST, Wstunnel, IOX) and tools such as Sharp-SMBExec.
- Strengthen authentication:
- minimize the use of local administrator accounts;
- restrict RDP and SMB access only to segments where it is justified, with mandatory multi-factor authentication.
For organizations exposed to phishing (journalists, NGOs, media)
- Strengthen protection of email and cloud accounts:
- enable interception-resistant factors (hardware security keys, authenticator apps) instead of SMS;
- disable legacy protocols and basic authentication where possible.
- Control of OAuth applications:
- regularly review the list of third-party applications with access to email and documents;
- block or tightly restrict granting of “full mailbox access” and “manage files” permissions to external applications.
- Filtering and detection of targeted phishing:
- use a secure email gateway with link and attachment scanning;
- configure detection of emails containing suspicious 1×1 images loaded from unfamiliar domains.
- Staff training:
- drill scenarios involving unexpected emails allegedly from colleagues, major media, or corporate “security teams”;
- encourage verification via an alternative channel (messenger, phone) for any requests related to logging into an account or granting an access token.
The critical step for organizations in the sectors and regions mentioned is to close vulnerable entry points (Exchange, IIS, React2Shell-compatible services) in the coming days, conduct targeted hunting for web shells and DLL side-loading on servers, and in parallel implement strict control of OAuth access and multi-factor authentication for email and cloud accounts, with priority review of all high-risk users — government employees, journalists, and activists.
