RC RANDOM CHAOS
cybersecurityvulnerabilitymalwarepolicy

China-aligned crews hit Asian governments and NATO state via Exchange and IIS bugs

· via The Hacker News

Original source

China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

The Hacker News →

Trend Micro is tracking a China-aligned espionage cluster, SHADOW-EARTH-053, active since at least December 2024 and overlapping with previously reported groups including Earth Alux and REF7707. The operators chain N-day exploits against internet-facing Microsoft Exchange and IIS servers, drop Godzilla web shells for persistence, then sideload ShadowPad through legitimately signed binaries delivered over AnyDesk. Victims span Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and one NATO member, Poland. Roughly half the targets were also hit by a sibling cluster, SHADOW-EARTH-053’s near-twin SHADOW-EARTH-054, though no shared tasking has been confirmed. The toolkit is heavy on open-source tradecraft: IOX, GOST, and Wstunnel for tunneling, RingQ packing for AV evasion, Mimikatz for privilege escalation, and a custom Sharp-SMBExec for lateral movement. One chain weaponized React2Shell (CVE-2025-55182) to deliver a Linux build of Noodle RAT, which Google’s threat group ties to UNC6595.

In parallel, Citizen Lab disclosed two phishing operations, GLITTER CARP and SEQUIN CARP, going after Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists alongside journalists at the ICIJ. Tradecraft leans on impersonation of known contacts and fake security alerts, AiTM phishing kits, OAuth consent abuse, and 1x1 tracking pixels for recon. GLITTER CARP overlaps with Proofpoint’s UNK_SparkyCarp and has separately phished the Taiwanese semiconductor sector; SEQUIN CARP overlaps with Volexity’s UTA0388 and Trend Micro’s TAOTH.

The through-line is that internet-facing Exchange and IIS remain the soft underbelly for state-aligned access, and that civil-society targeting is being run by what Citizen Lab assesses as a distributed contractor ecosystem aligned to PRC intelligence priorities. The defensive pivot is unglamorous: patch Exchange and IIS to current cumulative levels, and where patching lags, deploy WAF or IPS virtual patches keyed to the specific CVEs.

Read the full article

Continue reading at The Hacker News →

This is an AI-generated summary. Read the original for the full story.