SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
Summary
Hide ▲
Show ▼
SHADOW-EARTH-053 is running an active China-aligned espionage campaign against government and defense targets across South, East, and Southeast Asia and Poland, creating persistent access for intelligence collection. The operation has been active since at least December 2024 and uses internet-facing Microsoft Exchange and IIS vulnerabilities to gain entry, then deploys Godzilla web shells and ShadowPad implants. The intrusion chain also includes CVE-2025-55182 in one case, plus tunneling, privilege-escalation, and lateral-movement tooling to extend reach inside victim networks.
Cases
Related Happenings
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
OP-512 Microsoft IIS espionage campaign
Campaign
H score52
First: 05.06.2026 15:33
Last: 05.06.2026 15:33
Sources 1
About this happening:
**OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
OP-512 Microsoft IIS espionage campaign
CampaignAbout this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
Shadow-Aether-040 AI-augmented campaign against Mexican government entities
Campaign
H score41
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **Shadow-Aether-040** campaign used **AI agents** and custom tooling to compromise **six government entities in Mexico**, increasing the risk of follow-on intrusion and **data...
Shadow-Aether-040 AI-augmented campaign against Mexican government entities
CampaignAbout this happening: The **Shadow-Aether-040** campaign used **AI agents** and custom tooling to compromise **six government entities in Mexico**, increasing the risk of follow-on intrusion and **data...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
H score32
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
Campaign
H score39
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
CampaignAbout this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
Timeline
-
01.05.2026 17:02 2 articles · 2mo ago
SHADOW-EARTH-053 espionage campaign disclosed against Asian government and defense targets
Initial DisclosureTrend Micro attributed a China-aligned espionage campaign to SHADOW-EARTH-053, saying the cluster targets government and defense sectors across South, East, and Southeast Asia and Poland, has been active since at least December 2024, and uses internet-facing Microsoft Exchange and IIS exploitation to drop Godzilla web shells, stage ShadowPad via DLL sideloading and AnyDesk, and in one case deliver Linux Noodle RAT through CVE-2025-55182.
Show sources
- China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists — thehackernews.com — 01.05.2026 17:02
- China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists — thehackernews.com — 01.05.2026 17:02