Here is the technical report: Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
On May 1, cybersecurity researchers at Trend Micro disclosed a previously undocumented China-aligned espionage campaign that has infiltrated government and defense networks across much of Asia. Tracked as Shadow-Earth-053, the operation has been active since at least December 2024, and it has targeted ministries and contractors in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, as well as one European NATO member, Poland, along with journalists and diaspora activists.
What distinguishes this campaign from most other China-aligned cyber operations is its dual focus: one track pursued traditional intelligence collection against Asian governments and defense entities, while a parallel track, linked to activity clusters known as Glitter Carp and Sequin Carp, used highly targeted phishing to surveil and silence Uyghur, Tibetan, Taiwanese, and Hong Kong critics, as well as investigative journalists. These phishing operations relied on impersonation emails mimicking known individuals or technology company security alerts, embedding 1×1 tracking pixels – invisible images that notify the sender when the email has been opened and reveal the recipient’s device and approximate location – before directing victims to credential harvesting pages.
[...]
The parallel focus on diaspora activists and journalists results in digital transnational repression. This is not merely a human rights issue, as it undermines the open information environment that democratic governments rely on to shape public debate and hold authoritarian regimes accountable. When Beijing can silence overseas voices through cyber means, it erodes the soft power of the liberal international order and tests the willingness of host governments to protect residents on their soil.
[...]
The targeting of a NATO member state, Poland, adds a new layer of complexity. The country’s role as the main hub for Western support to Ukraine, through which roughly 90 percent of military aid shipments pass, along with Warshaw’s deepening defense ties with the Indo-Pacific, makes it a particularly high value target for Beijing. While the dominant, most common pattern of Chinese cyber activity in Europe has focused on economic espionage or technology theft, reaching a NATO ally’s government and defense networks – such as the 2023 Chinese breach of a Dutch military network, the 2022 espionage campaign against Belgium’s Ministry of Defense, and the 2024 compromise of the U.K. Ministry of Defense payroll system – although not a new phenomenon, is a worrying sign.
[...]