CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Espionage campaigns by China-aligned clusters target governments in Asia and NATO state alongside activists and journalists

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

China-linked cyber espionage clusters SHADOW-EARTH-053, GLITTER CARP, and SEQUIN CARP conducted coordinated operations since at least December 2024 targeting government and defense entities in South, East, and Southeast Asia, one European NATO member (Poland), and civil society figures including journalists and activists. The primary intrusion vector leveraged N-day flaws in Microsoft Exchange and IIS (e.g., ProxyLogon) to deploy web shells (Godzilla), followed by ShadowPad backdoor deployment via DLL side-loading and AnyDesk. Linux malware (Noodle RAT) was distributed in one case using the React2Shell exploit chain (CVE-2025-55182). Additional tooling included open-source tunneling utilities (IOX, GOST, Wstunnel), RingQ for binary packing, Mimikatz for privilege escalation, and custom lateral movement tools such as Sharp-SMBExec and a bespoke RDP launcher.

Timeline

  1. 01.05.2026 17:02 1 articles · 3h ago

    China-aligned espionage clusters escalate multi-vector intrusions against governments and civil society since late 2024

    Since at least December 2024, SHADOW-EARTH-053 has compromised government and defense targets across Asia and Poland using N-day Exchange/IIS exploits (e.g., ProxyLogon), Godzilla web shells, and ShadowPad via DLL side-loading and AnyDesk. Concurrently, GLITTER CARP and SEQUIN CARP conducted phishing campaigns against journalists and activists, leveraging AiTM phishing kits and OAuth token harvesting, with overlap in targeting and infrastructure reuse indicating possible contractor involvement.

    Show sources
    Open in new tab

Information Snippets

  • SHADOW-EARTH-053, active since at least December 2024, exploited N-day vulnerabilities in Microsoft Exchange and IIS servers (e.g., ProxyLogon) to deploy Godzilla web shells and ShadowPad implants via DLL side-loading of legitimate signed executables.

    First reported: 01.05.2026 17:02
    1 source, 1 article
    Show sources

  • Victimology includes government and defense sectors in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland (NATO member), with nearly half of targets in Malaysia, Sri Lanka, and Myanmar previously compromised by a related intrusion set (SHADOW-EARTH-054) but without evidence of direct operational coordination.

    First reported: 01.05.2026 17:02
    1 source, 1 article
    Show sources

  • GLITTER CARP and SEQUIN CARP campaigns, detected in April and June 2025, targeted journalists, civil society, and the Taiwanese semiconductor industry using phishing emails with digital impersonation of known individuals and security alerts, including AiTM phishing kits and OAuth token harvesting.

    First reported: 01.05.2026 17:02
    1 source, 1 article
    Show sources

  • SEQUIN CARP’s activity overlaps with groups tracked as UTA0388 (Volexity) and TAOTH (Trend Micro), while GLITTER CARP overlaps with UNK_SparkyCarp (Proofpoint, July 2025). Both groups reused domains and impersonated individuals across multiple targets.

    First reported: 01.05.2026 17:02
    1 source, 1 article
    Show sources

  • Additional malware and tools observed include Noodle RAT (Linux variant) delivered via React2Shell (CVE-2025-55182), open-source tunneling tools (IOX, GOST, Wstunnel), RingQ for binary packing, Mimikatz for credential theft, Sharp-SMBExec for lateral movement, and a custom RDP launcher.

    First reported: 01.05.2026 17:02
    1 source, 1 article
    Show sources