On May 1, cybersecurity researchers at Trend Micro disclosed a previously undocumented China-aligned espionage campaign that has infiltrated government and defense networks across much of Asia. Spotted as Shadow-Earth-053, the operation has been active since at least December 2024 and has targeted ministries and contractors in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka and Taiwan, as well as European NATO member Poland, as well as journalists and activists in the diaspora.
What sets this apart campaign What distinguishes most other China-aligned cyber operations is its dual focus: one track continues traditional intelligence collection against Asian governments and defense entities, while a parallel track, related to the business groups known as Glitter Carp and Sequin Carp, used highly targeted phishing to monitor and silence Uyghur, Tibetan, Taiwanese and Hong Kong critics, as well as investigative journalists. These phishing operations relied on spoofing emails impersonating known individuals or security alerts from technology companies, embedding 1×1 tracking pixels – invisible images that alert the sender when the email has been opened and reveal the recipient’s device and approximate location – before directing victims to credential collection pages.
The main espionage trail exploited unpatched Internet-accessible Microsoft Exchange and IIS servers, including ProxyLogon vulnerabilities. After gaining initial access, the attackers installed custom backdoors on the compromised servers, then implanted sophisticated long-term spying malware, often hiding it in files that appeared entirely legitimate. In one case, they exploited a previously unknown vulnerability to deploy a remote access tool on Linux systems. In parallel, two related phishing campaigns, Glitter Carp and Sequin Carp, began in April and June 2025, respectively. These campaigns aimed to steal third-party email IDs or access tokens from their targets.
The entire operation is attributed to China-aligned actors, with possible involvement of commercial contractors working on behalf of Chinese intelligence priorities. The campaign shares network infrastructure that overlaps previously tracked clusters and is part of a well documented China-aligned business model that mixes conventional state espionage with systematic transnational repression. Nearly half of its targets were also hit by a related operation called Shadow-Earth-054, suggesting overlap or coordination of Chinese intelligence priorities across multiple clusters.
Among governments affected by Shadow-Earth-053, cyber defenses remain collective modest And unequal. But this may be of less and less importance to Chinese cyber operations. The revelation of the campaign came just days after Dutch military intelligence reported that, thanks to China’s rapid progress in its offensive cyber capabilities in recent years, it has reached parity with the United States.
If this assessment is correct, it would mean that China has achieved a central strategic goal set by President Xi Jinping, who since 2014 has made China’s construction a “cyber superpower” a core national priority – an ambition widely understood to aim to achieve parity, or even surpass, the United States in cyberspace. This rapid progress has been driven by a sustained increase in defense spending and major structural reforms. China’s defense budget for 2026 pink 7 percent to around $275 billion, with explicit funding allocated for cyber capabilities as part of military modernization.
Beijing has gradually professionalized and centralized its military cyber forces over the past decade. In 2015, as part of Xi Jinping’s major program People’s Liberation Army (PLA) reformsChina created the Strategic Support Force, which, for the first time, brought together cybersecurity, electronic warfare and space capabilities under a single command. In 2024, China undertook another major military reorganization: it dissolved the Strategic Support Force and created a dedicated Cyberspace Force, enabling faster adaptation of tools and infrastructure throughout 2025.
The new structure eliminated bureaucratic overlap between cybersecurity, space and electronic warfare units, allowing for more agile decision-making and resource allocation. It also centralized control of offensive cyber operations under a single command. With sustained investments and fully mature ecosystem of contractors and researchers, this reorganization accelerated the development and deployment of modular anti-malware toolkits. As a result, China-linked actors have doubled their exploitation of zero-day vulnerabilities and significantly increased targeting of edge devices such as routers, firewalls and VPNs. U.S. Intelligence Community Annual Threat Assessment for 2026 confirmed that China remains the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks.
The possible involvement of commercial contractors adds another level of flexibility: private companies can test new tools and manage their operations while giving Beijing some separation. The result is an effective system that allows China to gather intelligence, exert political pressure and sow friction between its rivals. Indeed, Chinese military writings promote “cognitive domain operations”, idea that cyber operations should also shape what adversaries think and say. Beijing’s ambition to shape the global information environment involves no way a new strategic priority. Combining classic espionage against governments and defense ministries with aggressive phishing of diaspora activists and journalists, Shadow-Earth-053 shows how China treats foreign criticism as an extension of its domestic security problem.
Parallel attention to diaspora activists and journalists results in transnational digital repression. This is not simply a human rights issue, as it undermines the open information environment that democratic governments rely on to shape public debate and hold authoritarian regimes to account. When Beijing can silence voices abroad through cyberspace, it erodes the soft power of the liberal international order and tests the willingness of host governments to protect residents on their soil.
The campaign is particularly important for Washington’s Indo-Pacific initiatives. India, the cornerstone of the Quad, has been a frequent target – any compromise from its defense ministries could give Beijing a glimpse of joint possibilities naval exercisesFor example.
Targeting a NATO member state, Poland, adds a new level of complexity. The country’s role as the main hub of Western support for Ukraine, through which approximately 90% of military aid shipments pass, as well as Warshaw’s deepening defense links with the Indo-Pacific, makes it a high-value target for Beijing. While the dominant and most common pattern of Chinese cyber activity in Europe has focused on economic espionage or technology theft, reaching a NATO ally’s government and defense networks – such as the 2023 Chinese breach of a Dutch military network, the 2022 espionage campaign against The Belgian Ministry of Defense and the 2024 compromise of the British Ministry of Defense payroll system – although this is not a new phenomenon, it is a worrying sign.
Shadow-Earth-053 thus illustrates Beijing’s maturing gray zone game book: an operation that simultaneously provides intelligence, strengthens political control and sows friction within the alliance. As similar campaigns are set to become more frequent, this highlights a major foreign policy challenge: how to deter gray zone cyber operations that gradually erode strategic advantage and democratic norms.
Therefore, effective responses will require more than just patching vulnerabilities. Governments must establish faster, real-time threat-sharing mechanisms across the Quad and NATO, adopt harmonized standards to protect diaspora communities and exiled journalists, and impose tangible costs, through sanctions or diplomatic isolation, on transnational digital repression. Without these measures, Beijing will continue to exploit the lines between espionage, repression and political warfare. Shadow-Earth-053 is therefore more than a technical incident. He points out that cyberspace has become the primary space where great power competition and authoritarian control intersect, and where the rules remain dangerously in force. unstable.