A large-scale Chinese cyber-espionage operation tracked as SHADOW-EARTH-053 has been targeting government, defense, and critical infrastructure organizations across at least eight countries including NATO member Poland, according to a comprehensive report by Trend Micro researchers Daniel Lunghi and Lucas Silva. The campaign deploys the ShadowPad backdoor and Linux NoodleRAT through exploitation of unpatched Microsoft Exchange and IIS servers.

The operation has been active since at least December 2024, with threat actors maintaining extended dwell times of up to eight months before deploying final-stage implants. Targets include government and military entities in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, as well as Polish defense sector organizations. A secondary cluster designated SHADOW-EARTH-054 compromised approximately half of all identified victims.

Initial access is achieved through exploitation of ProxyLogon vulnerabilities including CVE-2021-26855 and related flaws that remain unpatched on many internet-facing Exchange servers years after disclosure. Attackers deploy Godzilla web shells for persistence, then use DLL sideloading with legitimate signed executables to load ShadowPad. Lateral movement relies on Sharp-SMBExec and Mimikatz for credential harvesting, while tunneling tools such as IOX and GOST provide covert command-and-control channels.

Citizen Lab identified parallel clusters designated GLITTER CARP and SEQUIN CARP targeting journalists at the International Consortium of Investigative Journalists and civil society organizations including the World Uyghur Congress. These operations employ adversary-in-the-middle phishing kits and OAuth token harvesting to compromise accounts of individuals critical of Beijing. Google Threat Intelligence Group, Volexity, and Proofpoint independently track overlapping infrastructure.

Trend Micro assesses with medium confidence that the operators are commercial contractors hired by the Chinese state, consistent with the operational model exposed in the 2024 i-Soon leaks. The targeting aligns directly with Chinese government strategic intelligence priorities including geopolitical surveillance, NATO defense capability assessment, and monitoring of ethnic and political diaspora communities.

Defenders should immediately patch all internet-facing Microsoft Exchange and IIS servers, hunt for Godzilla web shells, monitor for DLL sideloading and tunneling tool artifacts, and audit OAuth consent grants for suspicious third-party application access. The extended dwell times mean organizations may already be compromised without knowing, making proactive threat hunting essential.