Trend Micro disclosed a China-linked espionage campaign targeting government and defense sectors across South, East, and Southeast Asia plus one NATO member state. The threat cluster, designated SHADOW-EARTH-053, conducted operations against diplomatic institutions, defense ministries, and journalists and activists in the region.
Researchers identified the group's use of custom malware and exploitation techniques tailored to regional targets. The campaign demonstrates persistent targeting of geopolitically sensitive entities, with attackers focusing on intelligence collection rather than financial gain or operational disruption.
Defenders in affected regions should prioritize monitoring for SHADOW-EARTH-053 indicators of compromise across diplomatic and defense networks. Organizations handling sensitive government communications face elevated risk. Patch management for known vulnerabilities remains critical, as state-sponsored groups routinely exploit unpatched systems to establish persistence.
The targeting of journalists and activists alongside government entities suggests the operation aims to suppress dissent and collect intelligence on civil society organizations critical of Beijing. This pattern aligns with known Chinese espionage objectives in the Asia-Pacific region.
Trend Micro released technical indicators and recommended immediate threat hunting in government and defense environments. Agencies should assume compromise and conduct forensic analysis of network traffic and endpoint logs dating back several months.