China-backed hackers hit Asian govts, defence sectors, NATO countries: Report

China-aligned hackers have targeted government and defence sectors across South, East and Southeast Asia, along with a NATO member in Europe, in a fresh cyber espionage campaign, a report has claimed.
A report by The Hacker News highlighted that the activity has been attributed to a threat cluster tracked as ‘SHADOW-EARTH-053’, which researchers assess has been active since at least December 2024, and shares overlaps with previously identified groups such as Earth Alux and REF7707.
The campaign primarily exploits known vulnerabilities in internet-facing Microsoft Exchange Server and Internet Information Services (IIS) systems to breach unpatched networks, it said It further highlighted that security researchers stated that the group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers, then deploys web shells for persistent access and stages ShadowPad implants.
Countries targeted include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan and Pakistan, while Poland was identified as the only European nation affected.
The attackers deploy web shells such as ‘Godzilla’ to maintain remote access and later install the ShadowPad malware using DLL side-loading techniques, often leveraging legitimate signed executables to evade detection.
The report noted that the intrusions begin with the exploitation of security flaws to gain initial access, followed by reconnaissance and lateral movement using tools such as Mimikatz and custom remote desktop protocol launchers. In some cases, the campaign also involved the exploitation of a vulnerability dubbed ‘React2Shell’ to distribute a Linux variant of Noodle RAT, a remote access trojan.
The attack chain has been linked by other researchers to a group known as ‘UNC6595’. The report noted overlaps with another intrusion set, ‘SHADOW-EARTH-054’, with nearly half of the observed targets, particularly in Malaysia, Sri Lanka and Myanmar.