cybersecurity researchers have uncovered a new espionage campaign linked to China, targeting government and defense sectors across South, East, and Southeast Asia, as well as one European government belonging to NATO.
The activity has been attributed by security firm Trend Micro to a threat cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to be aligned with Chinese strategic interests, focusing on intelligence gathering from high-value political and military targets.
Campaign Scope and Targets
According to Trend Micro’s analysis, the campaign primarily targets government networks in multiple Asian nations, alongside a NATO member state in Europe. The attacks also extend to journalists, activists, and think tanks involved in policy discussions related to China.
The researchers noted that the group employs sophisticated phishing techniques and custom malware to compromise systems. Victims are often lured through spear-phishing emails that appear to come from trusted sources, including diplomatic contacts or regional news organizations.
Once inside a network, the attackers deploy a backdoor known as STAYSHINE, which provides persistent remote access. The malware is capable of exfiltrating documents, keystroke logging, and capturing screenshots without raising immediate suspicion.
Technical Methods and Attribution
Trend Micro’s report highlights the use of living-off-the-land techniques, where attackers use legitimate system tools to avoid detection. This approach makes it harder for security teams to distinguish malicious activity from normal administrative tasks.
The SHADOW-EARTH-053 cluster shares some infrastructure and tactics with previously documented China-linked groups, but researchers assess it as a distinct entity. The group’s operational security and targeting focus indicate a state-sponsored or state-adjacent relationship.
Targets include ministries of foreign affairs, defense departments, and technology regulators across Southeast Asia. In Europe, the NATO member state targeted has not been named publicly, but researchers suggested the intrusion was aimed at gathering intelligence on alliance defense planning.
Targeting of Civil Society
In addition to government networks, the campaign has specifically targeted civil society actors. Journalists covering technology policy and human rights, as well as activists involved in cross-strait relations, have been identified as victims.
Trend Micro warned that the targeting of non-governmental organizations indicates a broad intelligence collection mandate. The attackers appear interested in tracking policy debates, diplomatic negotiations, and public opposition to Chinese initiatives in the region.
The report also noted that some targets received malicious documents disguised as invitations to international conferences or academic seminars. These documents, once opened, installed surveillance tools onto the victim’s machine.
Implications for Cybersecurity
The disclosure of SHADOW-EARTH-053 underscores the persistent threat posed by state-aligned hacking groups to both sovereign governments and civil society. The campaign demonstrates how adversaries adapt their methods to blend into normal network traffic and avoid triggering alarms.
Security teams in affected regions are advised to review their detection rules for living-off-the-land techniques and to implement multi-factor authentication for all external-facing accounts. Trend Micro has released indicators of compromise to help organizations identify possible infections.
Governments in South, East, and Southeast Asia have been increasing their cybersecurity cooperation in recent years, but the speed and sophistication of these attacks often outpace defensive measures. The targeting of a NATO member also highlights the global reach of such campaigns beyond the immediate Asia-Pacific theater.
As of now, no official statements have been issued by the targeted governments or by Chinese authorities in response to the report. Trend Micro indicated that its investigation is ongoing and that additional victim organizations may be identified in the coming weeks.
Source: GeekWire
