China-linked hackers hit Asian governments, Poland

Security researchers report a China-linked cluster used unpatched Microsoft Exchange and Internet Information Services (IIS) vulnerabilities to breach government and defense networks across South, East and Southeast Asia and Poland. The intrusions used web shells and ShadowPad implants for persistent access, and separate phishing campaigns targeted journalists, diaspora activists and civil-society figures.

Trend Micro attributes the intrusions to a cluster it temporarily calls SHADOW-EARTH-053 and says the activity dates to at least December 2024. The company identified victims in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka and Taiwan, with Poland the only European government observed. Trend Micro reported overlap in infrastructure and techniques with several other tracked clusters but found no direct evidence of coordinated operations among them.

According to Trend Micro’s analysis, attackers exploited known, internet-facing Exchange and IIS flaws, including chains tied to ProxyLogon, to gain initial access to unpatched servers. The intruders deployed a Godzilla web shell to execute commands remotely, then used AnyDesk to deliver ShadowPad backdoors by DLL sideloading of legitimately signed executables. Trend Micro researchers wrote, “The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables.”

Researchers also linked the React2Shell vulnerability tracked as CVE-2025-55182 to delivery of a Linux build of Noodle RAT (also called ANGRYREBEL). Google’s threat team associated that chain with a group it tracks as UNC6595. Operators used tunneling tools such as IOX, GO Simple Tunnel (GOST) and Wstunnel, packers like RingQ, and tooling for privilege escalation and lateral movement including Mimikatz, a custom remote desktop protocol launcher, and Sharp-SMBExec.

Citizen Lab identified two separate China-affiliated clusters conducting targeted phishing against journalists, diaspora activists and NGOs. The clusters, codenamed GLITTER CARP and SEQUIN CARP, were first detected in April and June 2025. Citizen Lab noted the campaigns impersonated known individuals and tech-company security alerts to trick recipients into giving up credentials or granting third-party OAuth access. GLITTER CARP has also targeted the Taiwanese semiconductor sector. The phishing campaigns used adversary-in-the-middle kits, small tracking pixels to confirm message opens, credential-harvesting pages and social engineering to obtain OAuth tokens. Citizen Lab observed repeated reuse of domains and impersonated identities across campaigns and described the activity as a distributed network of actors carrying out digital transnational repression.

Trend Micro urged organizations to apply current security updates and cumulative patches to Exchange and web applications hosted on IIS. Where immediate patching is not possible, the company recommended deploying intrusion prevention systems or web application firewalls with rules tuned to block exploit attempts against the known flaws.

Researchers provided technical indicators and defensive recommendations to affected organizations and published details of the tools and domains observed during the investigations.