Recent cybersecurity research has unveiled a sophisticated espionage operation linked to China, with its sights set on government and defense sectors across South, East, and Southeast Asia, as well as a NATO-affiliated European nation. Trend Micro has identified this malicious activity under the interim designation SHADOW-EARTH-053. Analysts believe this group has been operational since at least December 2024, sharing network traits with other documented threat clusters.

The group primarily exploits N-day vulnerabilities associated with Microsoft Exchange and Internet Information Services (IIS). Prominent tactics include deploying web shells, like Godzilla, for persistent access and utilizing DLL sideloading to install ShadowPad malware. This strategic approach enables the adversaries to maintain a foothold in the victim’s network and execute commands remotely, effectively facilitating the operational goals of the campaign.

Targeted countries include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with Poland being the only European nation affected. Notably, Trend Micro reported that some affected entities in Malaysia, Sri Lanka, and Myanmar also fell victim to an earlier intrusion set, denoted as SHADOW-EARTH-054, indicating possible overlaps in tactics and objectives, although no direct coordination was observed.

The attack methodology relies on exploiting known vulnerabilities, allowing the threat actors to breach unpatched systems, inject web shells for continuous access, and launch subsequent malware installations. In particular, researchers highlight the exploitation of the React2Shell vulnerability for distributing a Linux version of Noodle RAT, underscoring the intricate nature of the threat landscape.

Furthermore, SHADOW-EARTH-053 incorporates open-source tunneling tools and other utilities to obscure malicious activities and evade detection. The group employs Mimikatz for privilege escalation and lateral movement facilitated through a custom RDP launcher and a C# variant of SMBExec. This multilateral approach not only amplifies the complexity of the attacks but also underscores the importance of immediate and effective cybersecurity measures.

Trend Micro emphasizes that vulnerabilities in internet-facing IIS applications were the primary entry vectors utilized in this espionage campaign. Organizations are urged to prioritize patching their systems with the latest security updates. In instances where immediate patching is infeasible, the deployment of Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with tailored rulesets for known CVEs is highly recommended.

GLITTER CARP and SEQUIN CARP Target Journalists and Activists

In a related threat landscape, the Citizen Lab has identified new phishing campaigns initiated by two China-affiliated groups known as GLITTER CARP and SEQUIN CARP. These actors have been targeting journalists and activists within the Uyghur, Tibetan, Taiwanese, and Hong Kong communities. Their operations have employed sophisticated impersonation techniques in phishing emails, indicating a methodical approach to digital espionage.

The campaigns aim to harvest credentials through phishing tactics, leveraging various forms of impersonation, including security alerts from reputable tech companies. The overlapping infrastructure and tactics employed by both groups reveal a concerted effort to disrupt voices critical of the Chinese government.

As China continues to exploit emerging technologies and tactics, business owners must remain vigilant and proactive in addressing cybersecurity risks. The targeting of a broad spectrum of entities underscores the need for comprehensive security strategies that address both known vulnerabilities and evolving attack methodologies associated with state-sponsored threats.

Given the complex nature of these threats, understanding the MITRE ATT&CK framework can provide valuable insights into adversary tactics likely used in these attacks. Techniques such as initial access via exploitation of public-facing applications, persistence through backdoors, and privilege escalation through known exploits showcase the multifaceted approach that groups like SHADOW-EARTH-053 and GLITTER CARP adopt in their malicious campaigns.

By fortifying defenses and enhancing detection capabilities, organizations can better safeguard their sensitive information and operational integrity against these new waves of cyber threats.