Another day, another nation-state cyber-spook show. This time, the players are China-linked, and the targets span a frankly alarming spectrum: governments from Pakistan to Poland, defense sectors, journalists sniffing around sensitive topics, and activists — you know, the ones who annoy Beijing.
Trend Micro calls this particular flavor of digital mayhem SHADOW-EARTH-053. They’ve been at it since at least December, and while they claim some distant cousins to other known bad actors, the tactics are distressingly familiar. Exploit known holes in Microsoft Exchange and IIS servers? Check. Drop web shells like Godzilla for persistent access? Check. Then layer on ShadowPad implants using DLL sideloading. It’s the playbook, updated.
And the victim list? It’s a geopolitical who’s who of trouble: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan. Then there’s Poland, the lone European NATO member apparently caught in the dragnet. Almost half of these SHADOW-EARTH-053 targets, especially those in Malaysia, Sri Lanka, and Myanmar, were also previously compromised by a related crew, SHADOW-EARTH-054. No direct coordination observed, they say. Right.
The initial breach is usually brute force, albeit digital. Exploiting unpatched vulnerabilities. Get in, plant a web shell — think of it as a backdoor for remote control. From there, it’s reconnaissance, then deploying the ShadowPad backdoor. All using DLL side-loading, a neat trick to make malicious code look like it belongs.
They even weaponized a React2Shell flaw to distribute a Linux version of Noodle RAT. Yes, RAT. Google Threat Intelligence linked that whole chain to UNC6595. Open-source tools like IOX, GO Simple Tunnel, and Wstunnel? Used for tunneling. RingQ to pack binaries. Mimikatz for privilege escalation. Sharp-SMBExec for lateral movement. It’s a veritable smorgasbord of nasty.
Trend Micro’s advice is, predictably, to patch your systems. Groundbreaking. But they also suggest Intrusion Prevention Systems or Web Application Firewalls as a stopgap. Virtual patching, they call it. As if every organization has the resources for that level of immediate, customized defense.
GLITTER CARP and SEQUIN CARP: The Whispers That Bite
But the government-level espionage is only half the story. Citizen Lab dropped a separate bombshell about two other China-affiliated groups, GLITTER CARP and SEQUIN CARP. Their game? Targeting journalists and civil society groups. Uyghur, Tibetan, Taiwanese, Hong Kong diaspora activists – the usual suspects who might, you know, report or protest inconvenient truths. These campaigns popped up in April and June.
GLITTER CARP has been busy impersonating people and tech company security alerts to trick journalists, particularly those at the International Consortium of Investigative Journalists (ICIJ). SEQUIN CARP went after ICIJ journalist Scilla Alecci and others covering topics sensitive to Beijing. They’re using the same infrastructure, the same domains, the same impersonated individuals across multiple targets. It’s an industrial-scale disinformation and surveillance operation, disguised as routine cybersecurity.
GLITTER CARP also got its hands dirty with phishing attacks on Taiwan’s semiconductor industry. Proofpoint saw some of that back in July, calling it UNK_SparkyCarp. SEQUIN CARP, meanwhile, has ties to Volexity’s UTA0388 and Trend Micro’s TAOTH. It’s all connected, a tangled web of influence and intrusion.
The goal? Stealing email credentials, harvesting information through phishing pages, or socially engineering targets into handing over third-party OAuth tokens. GLITTER CARP even uses 1x1 tracking pixels to confirm if emails have been opened. Small details. Big implications.
This isn’t just about data theft. It’s about silencing dissent, controlling narratives, and undermining democratic processes. The tech is sophisticated, the tactics are relentless, and the targets are those brave enough to speak out or report the truth. It’s a chilling reminder that the digital battlefield extends far beyond mere corporate espionage.
“The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables.”
This isn’t just about patching vulnerabilities; it’s about understanding the motivations behind persistent, well-funded cyber operations. While corporations and governments scramble to keep pace with exploits, the real battle is being waged by those seeking to control information and suppress opposition. And that, frankly, is a fight we’re only just beginning to understand.
Why Does This Matter for Journalists?
It matters because the tools used against governments are now being turned on the Fourth Estate. Impersonation, sophisticated phishing, and credential harvesting are no longer exclusive to state-sponsored espionage against rival nations. Journalists, especially those investigating sensitive topics like human rights abuses or geopolitical tensions, are now front-line targets. The ability to access their communications and sources is a direct threat to investigative reporting and, by extension, to public accountability. This campaign isn’t just a data breach; it’s an attack on the free press.
How Does SHADOW-EARTH-053 Use Godzilla?
SHADOW-EARTH-053 utilizes the Godzilla web shell as a critical component for establishing persistent access to compromised systems. After exploiting vulnerabilities to gain initial entry, the threat actor deploys Godzilla, which functions as a command-and-control interface. This allows them to execute arbitrary commands remotely, perform reconnaissance on the victim’s network, and ultimately stage further malicious implants like ShadowPad, all while maintaining a covert presence.
What is DLL Sideloading?
DLL sideloading is a technique where a legitimate, signed executable is tricked into loading a malicious Dynamic Link Library (DLL) file. When the legitimate program starts, it looks for required DLLs in specific locations, including the directory it’s located in. If a malicious DLL with the expected name is present in that same directory, the program will load and execute it, effectively giving the attacker a way to run their code under the guise of a trusted application.
🧬 Related Insights
- Read more: Cisco’s 9.8 Flaws Hand Attackers Server Keys and Root Access
- Read more: 2026 Speaking Tour: AI, Cyber, Democracy [Schedule]
Frequently Asked Questions
What does SHADOW-EARTH-053 do?
SHADOW-EARTH-053 is a China-aligned threat actor engaging in espionage. They target governments and defense sectors, primarily by exploiting vulnerabilities, deploying web shells for persistent access, and then using implants like ShadowPad to steal information.
Are journalists really being targeted by Chinese hackers?
Yes. Groups like GLITTER CARP and SEQUIN CARP, identified by Citizen Lab, are specifically targeting journalists and activists with sophisticated phishing and impersonation schemes to harvest credentials and gain access to sensitive information.
Should I be worried about these exploits?
If you are part of a government, defense sector, or are a journalist investigating sensitive topics, then yes, you should be very concerned. General users should still practice good cyber hygiene, keeping software updated and being wary of suspicious links and emails.
