China-backed hackers hit Asian governments, defense sectors

May 15, 2026

China-aligned cyberespionage activity against Asian government and defense-linked networks remains both persistent and structurally conservative, relying on well-established tradecraft rather than novel exploits. A newly detailed campaign, attributed to the intrusion cluster SHADOW-EARTH-053, highlights how long-exposed enterprise infrastructure continues to serve as a reliable access vector for state-linked intelligence collection.

SHADOW-EARTH-053 has been active since at least late 2024 and is assessed to have targeted government ministries and defense-adjacent sectors across South, East, and Southeast Asia, with one confirmed victim within a European member of NATO. The geographic footprint spans India, Pakistan, Sri Lanka, Myanmar, Thailand, Malaysia, and Taiwan, with Poland identified as the sole European target, suggesting a campaign centered on Asian geopolitical priorities with limited but deliberate reach beyond the region.

 Operationally, the campaign is built around the exploitation of N-day vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services (IIS) deployments. These weaknesses—long patched but still prevalent in government and legacy environments—enable attackers to gain an initial foothold with minimal resistance. Once access is established, the actors deploy web shells, most commonly GODZILLA variants, to maintain persistent remote control over compromised servers.

From this access layer, SHADOW-EARTH-053 transitions into a familiar post-exploitation phase. Reconnaissance and lateral movement are conducted using a mix of commodity and bespoke tooling, including credential theft utilities such as Mimikatz and custom remote desktop launchers. The campaign’s longer-term persistence mechanism relies on the deployment of ShadowPad, staged through DLL sideloading techniques that abuse legitimate, digitally signed executables. This approach allows malicious payloads to blend into trusted execution chains, complicating detection and forensic attribution.

 Researchers note that SHADOW-EARTH-053 exhibits overlaps with previously documented China-aligned clusters, including Earth Alux and REF7707, particularly in tooling and exploitation patterns. However, the activity is currently tracked as a distinct threat cluster, reflecting either task-specific operations or parallel exploitation by actors drawing from a shared ecosystem of malware and access techniques rather than direct operational coordination.

 Strategically, the campaign aligns with long-standing Chinese intelligence objectives in Asia: sustained visibility into government decision-making, defense planning, and regional security dynamics. The inclusion of a European NATO member as a target suggests opportunistic expansion or selective intelligence requirements rather than a broad pivot toward Europe.

 Overall, SHADOW-EARTH-053 illustrates a recurring reality in state-sponsored cyber operations. The effectiveness of the campaign does not stem from technical innovation, but from disciplined execution, patience, and the continued presence of unpatched, internet-facing infrastructure within sensitive government environments. As long as these structural weaknesses persist, such actors can achieve strategic intelligence access with comparatively low operational risk.