Shadow-Earth-053: Trend Micro Confirms China Spy Group Targets Journalists and Activists Alongside Governments and Defense
Trend Micro publishes full technical attribution of Shadow-Earth-053 — confirming the China-linked group targets journalists and civil society activists alongside governments and defense sectors across Asia and one NATO member state.
Trend Micro has published full technical attribution linking Shadow-Earth-053 to a broader China-state espionage campaign targeting governments, defense sectors, journalists, and activists across South, East, and Southeast Asia and one NATO member state — revealing new tooling, new targets, and connections to three other tracked threat clusters.
WASHINGTON, D.C. / SINGAPORE — Trend Micro has released comprehensive technical attribution of SHADOW-EARTH-053, the China-aligned threat cluster first disclosed by TrendAI in an exclusive to The Register last week. The full research confirms active intrusions since at least December 2024 across government and defense sectors in South, East, and Southeast Asia, and one European NATO member state — and reveals that the group's targeting extends significantly beyond government and defense to include journalists and civil society activists. Trend Micro assesses with medium confidence that commercial entities hired by the Chinese state may be behind both tracked clusters of activity, consistent with China's documented use of contracted hacking firms.
Updated Threat Profile
New technical depth: the full attack chain
Trend Micro's research reveals a significantly more detailed attack chain than the initial TrendAI disclosure. Initial access comes via N-day vulnerabilities in internet-facing IIS and Exchange servers. Once inside, the group uses open-source tunneling tools — IOX, GO Simple Tunnel (GOST), and Wstunnel — to establish covert communication channels. Privilege escalation uses Mimikatz, the well-known credential dumping tool. Lateral movement employs a custom RDP launcher and Sharp-SMBExec, a C# implementation of SMBExec that allows pass-the-hash and pass-the-ticket attacks without dropping traditional tooling. ShadowPad is the primary final-stage backdoor, deployed via AnyDesk using DLL side-loading after an extended dwell period. In at least one case, exploitation of CVE-2025-55182 (React2Shell) facilitated deployment of Linux Noodle RAT — confirming the group targets Linux infrastructure, not just Windows environments. Google Threat Intelligence Group has separately linked this specific attack chain to a tracked group called UNC6595.
Journalists and activists as targets
The most strategically significant new disclosure in the Trend Micro report is the confirmation that SHADOW-EARTH-053 targets journalists and civil society activists alongside government and defense sectors. This is a defining characteristic of Chinese state intelligence collection — the simultaneous targeting of official government targets and civil society surveillance targets. Journalists covering China, Taiwan, Hong Kong, or Xinjiang, and activists associated with Uyghur, Tibetan, or pro-democracy causes in the target countries, are explicitly within scope. This elevates the human rights dimension of this campaign significantly beyond a typical government espionage operation.
Connected clusters: CL-STA-0049, Earth Alux, REF7707
Trend Micro identified network infrastructure overlap between SHADOW-EARTH-053 and three other tracked threat clusters: CL-STA-0049 (Trend Micro), Earth Alux (Trend Micro), and REF7707 (Secureworks). These overlaps — shared IP ranges, command-and-control infrastructure, and tooling commonalities — suggest either a shared operational support structure or a common contractor providing infrastructure to multiple groups. The medium-confidence assessment that commercial contractors hired by the Chinese state may be behind these clusters is consistent with the documented use of firms like I-Soon (Anxun Information Technology), exposed in a 2024 leak, as Chinese intelligence contractors conducting espionage operations for hire. For broader context on how advanced persistent threats operate
and the full nation-state cyber threat coverage
on The CyberSignal. Our original Shadow-Earth-053 disclosure is covered here
.
What to do now
Organizations in South, East, and Southeast Asia in government, defense, technology, and transportation sectors should treat IIS and Exchange server patching as an emergency priority — all known N-days are documented by Trend Micro and CISA. Hunt for IOX, GOST, and Wstunnel tunneling activity in network logs. Audit AnyDesk deployments — the legitimate remote access tool is being abused for DLL side-loading. Detect Mimikatz activity via memory signatures and LSASS access alerts. Journalists and activists covering China-sensitive topics should operate on the assumption that their devices and communications may be targeted and seek support from organizations like Access Now's Digital Security Helpline.
The CyberSignal Analysis
Signal 01 — Journalist and activist targeting changes the threat calculus
When a China-linked espionage campaign targets government networks, the defensive response is clearly scoped to government and enterprise security teams. When the same campaign explicitly targets journalists and civil society activists, the defensive population expands to include individuals who typically have far fewer security resources and far less awareness of being targeted. The Trend Micro confirmation that SHADOW-EARTH-053 targets civil society alongside government is not a footnote — it is a primary finding that changes who needs to be warned and protected.
Signal 02 — Contractor attribution signals China's persistent infrastructure model
Trend Micro's medium-confidence assessment that commercial contractors hired by the Chinese state may be behind these clusters is significant. The I-Soon leak in 2024 established that China's intelligence agencies routinely task private hacking firms — which maintain their own tools, infrastructure, and operator pools — with espionage operations. If SHADOW-EARTH-053 is contractor-operated, that explains both the infrastructure overlaps with other clusters (shared contractor support) and the broad geographic scope (contractors take multiple state contracts simultaneously).
Signal 03 — The IIS attack surface is chronically underdefended
SHADOW-EARTH-053's primary entry vector — N-day vulnerabilities in internet-facing IIS servers — reflects a persistent gap in enterprise security posture across Asia. IIS is widely deployed in government environments across the region, often running outdated versions without consistent patch management. This is not a zero-day problem. Every vulnerability SHADOW-EARTH-053 exploited was known and patchable. The problem is the implementation gap between known vulnerability and applied patch — the same gap the FBI cited in Operation Winter SHIELD as the primary cause of most breaches they investigate.
