NewKerala.com

China-Backed Hackers Target Asian Governments, NATO Member in New Cyber Campaign

China-aligned hackers have launched a fresh cyber espionage campaign targeting government and defence sectors across South, East and Southeast Asia, along with a NATO member in Europe. The threat cluster, tracked as SHADOW-EARTH-053, exploits vulnerabilities in Microsoft Exchange Server and IIS systems to deploy ShadowPad malware and web shells. Countries targeted include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, Pakistan, and Poland. Researchers also flagged phishing campaigns by two other China-linked groups targeting journalists and civil society groups.

Key Points: China Hackers Hit Asian Governments, NATO: Report

  • China-linked SHADOW-EARTH-053 group targets Asian govts & defence sectors
  • Exploits Microsoft Exchange/IIS flaws to deploy ShadowPad malware
  • 7 Asian nations hit including India, Taiwan, Pakistan; Poland only European target
  • Also linked to phishing campaigns by GLITTER CARP & SEQUIN CARP groups
3 min read

China-backed hackers hit Asian govts, defence sectors, NATO countries: Report

China-aligned hackers target govts & defence in Asia & a NATO nation. Exploit Microsoft Exchange flaws, deploy ShadowPad malware. India, Taiwan among targets.

"The campaign primarily exploits known vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services (IIS) systems to breach unpatched networks - The Hacker News report"

New Delhi, May 2

China-aligned hackers have targeted government and defence sectors across South, East and Southeast Asia, along with a NATO member in Europe, in a fresh cyber espionage campaign, a report has claimed.

A report by The Hacker News highlighted that the activity has been attributed to a threat cluster tracked as 'SHADOW-EARTH-053', which researchers assess has been active since at least December 2024, and shares overlaps with previously identified groups such as Earth Alux and REF7707.

The campaign primarily exploits known vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services (IIS) systems to breach unpatched networks, it said

It further highlighted that security researchers stated that the group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers, then deploys web shells for persistent access and stages ShadowPad implants.

Countries targeted include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan and Pakistan, while Poland was identified as the only European nation affected.

The attackers deploy web shells such as 'Godzilla' to maintain remote access and later install the ShadowPad malware using DLL side-loading techniques, often leveraging legitimate signed executables to evade detection.

The report noted that the intrusions begin with the exploitation of security flaws to gain initial access, followed by reconnaissance and lateral movement using tools such as Mimikatz and custom remote desktop protocol launchers.

In some cases, the campaign also involved the exploitation of a vulnerability dubbed 'React2Shell' to distribute a Linux variant of Noodle RAT, a remote access trojan.

The attack chain has been linked by other researchers to a group known as 'UNC6595'.

The report noted overlaps with another intrusion set, 'SHADOW-EARTH-054', with nearly half of the observed targets, particularly in Malaysia, Sri Lanka and Myanmar - previously compromised, though no direct operational coordination has been confirmed.

To evade detection and maintain persistence, the attackers also used open-source tunnelling tools such as IOX, GOST and Wstunnel, along with packing utilities to conceal malicious binaries, according to the report.

Trend Micro advised organisations to prioritise patching of Microsoft Exchange and IIS systems and deploy intrusion prevention or web application firewall solutions where immediate updates are not feasible.

Meanwhile, researchers flagged phishing campaigns by two other China-linked groups, dubbed 'GLITTER CARP' and 'SEQUIN CARP', targeting journalists and civil society groups.

However, the campaigns, first detected in April and June 2025, impersonated journalists, organisations and technology firms in phishing emails aimed at stealing credentials or gaining access to accounts.

- IANS

Share this article:

Reader Comments

P
Priya S
It's concerning that these hackers are using known vulnerabilities in Microsoft systems. Why are our government departments still running unpatched software? This is a basic oversight. Personally, I think we need a mandatory cyber security audit for all government agencies every quarter. Better safe than sorry.
M
Michael C
This is wild. Targeting multiple Asian nations and even a NATO country. It really shows how cyber warfare knows no borders. I hope India is collaborating with allies like the US and Japan to share threat intelligence. We can't fight this alone, especially against such sophisticated actors.
R
Rohit P
As someone working in IT, I can tell you that many small and medium enterprises in India don't even know what a 'patch' is. The hackers exploit this ignorance. The government should run awareness campaigns for businesses too. Also, why is Pakistan targeted? That seems interesting given the tensions between India and Pakistan. 🤔
K
Kavya N
Honestly, I'm not surprised. China has been accused of such activities for years. What's the point of signing agreements if they keep doing this? India needs to be more vocal at international forums. Also, the mention of Taiwan as a target—this is clearly a geopolitical play. Stay vigilant, everyone!

We welcome thoughtful discussions from our readers. Please keep comments respectful and on-topic.

Leave a Comment

Minimum 50 characters 0/50