On May 1, cybersecurity researchers at Trend Micro disclosed a previously undocumented China-aligned espionage campaign that has infiltrated government and defense networks across much of Asia. Tracked as Shadow-Earth-053, the operation has been active since at least December 2024, and it has targeted ministries and contractors in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, as well as one European NATO member, Poland, along with journalists and diaspora activists.
What distinguishes this campaign from most other China-aligned cyber operations is its dual focus: one track pursued traditional intelligence collection against Asian governments and defense entities, while a parallel track, linked to activity clusters known as Glitter Carp and Sequin Carp, used highly targeted phishing to surveil and silence Uyghur, Tibetan, Taiwanese, and Hong Kong critics, as well as investigative journalists. These phishing operations relied on impersonation emails mimicking known individuals or technology company security alerts, embedding 1×1 tracking pixels – invisible images that notify the sender when the email has been opened and reveal the recipient’s device and approximate location – before directing victims to credential harvesting pages.
The primary espionage track exploited unpatched internet-facing Microsoft Exchange and IIS servers, including the ProxyLogon vulnerabilities. After gaining initial access, the attackers installed custom backdoors on the compromised servers, then planted sophisticated long-term espionage malware, often disguising it inside files that appeared completely legitimate. In one case, they exploited a previously unknown vulnerability to deploy a remote access tool on Linux systems. In parallel, two related phishing campaigns, Glitter Carp and Sequin Carp, began in April and June 2025 respectively. These campaigns focused on stealing email credentials or third-party access tokens from their targets.
The entire operation is being attributed to China-aligned actors, with the possible involvement of commercial contractors working on behalf of Chinese intelligence priorities. The campaign shares network infrastructure overlaps with previously tracked clusters and fits into a well-documented pattern of China-aligned activity that blends conventional state espionage with systematic transnational repression. Nearly half of its targets were also hit by a related operation designated Shadow-Earth-054, suggesting overlapping or coordinated Chinese intelligence priorities across multiple clusters.
Among the governments hit by Shadow-Earth-053, cyber defenses remain collectively modest and uneven. But that may matter less and less for China’s cyber operations. The disclosure of the campaign came mere days after the Netherlands’ military intelligence service reported that, as a result of China rapidly advancing its offensive cyber capabilities in recent years, it has reached parity with the United States.
If this assessment is accurate, it would mean that China has achieved a central strategic goal set by President Xi Jinping, who since 2014 has made building China into a “cyber superpower” a core national priority – an ambition widely understood as seeking parity with, or even surpassing, the United States in cyberspace. This rapid progress has been driven by sustained increases in defense spending and major structural reforms. China’s 2026 defense budget rose 7 percent to approximately $275 billion, with explicit funding allocated for cyber capabilities as part of military modernization.
Beijing has steadily professionalized and centralized its military cyber forces over the past decade. In 2015, as part of Xi Jinping’s major reforms to the People’s Liberation Army (PLA), China created the Strategic Support Force, which for the first time brought cyber, electronic warfare, and space capabilities under a single command. In 2024, China undertook another major military reorganization: it dissolved the Strategic Support Force and established a dedicated Cyberspace Force, allowing faster adaptation of tools and infrastructure throughout 2025.
The new structure eliminated bureaucratic overlap between cyber, space, and electronic warfare units, enabling more agile decision-making and resource allocation. It also centralized control of offensive cyber operations under a single command. Together with sustained investment and a maturing ecosystem of contractors and researchers, this reorganization has accelerated the development and deployment of modular malware toolkits. As a result, China-linked actors have doubled their exploitation of zero-day vulnerabilities and dramatically increased targeting of edge devices such as routers, firewalls, and VPNs. The U.S. Intelligence Community’s 2026 Annual Threat Assessment confirmed that China remains the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks.
The possible involvement of commercial contractors adds another layer of flexibility: private firms can test new tools and run operations while giving Beijing a degree of separation. The result is an efficient system that lets China gather intelligence, exert political pressure, and sow friction among its rivals. Indeed, Chinese military writings promote “cognitive domain operations,” the idea that cyber operations should also shape what adversaries think and say. Beijing’s ambition to shape the global information environment is by no means a new strategic priority. By pairing classic espionage against governments and defense ministries with aggressive phishing of diaspora activists and journalists, Shadow-Earth-053 shows how China treats overseas critics as an extension of its domestic security problem.
The parallel focus on diaspora activists and journalists results in digital transnational repression. This is not merely a human rights issue, as it undermines the open information environment that democratic governments rely on to shape public debate and hold authoritarian regimes accountable. When Beijing can silence overseas voices through cyber means, it erodes the soft power of the liberal international order and tests the willingness of host governments to protect residents on their soil.
The campaign is particularly consequential for Washington’s Indo-Pacific initiatives. India, a cornerstone of the Quad, has been a frequent target – any compromise of its defense ministries could give Beijing insight into joint naval exercises, for example.
The targeting of a NATO member state, Poland, adds a new layer of complexity. The country’s role as the main hub for Western support to Ukraine, through which roughly 90 percent of military aid shipments pass, along with Warshaw’s deepening defense ties with the Indo-Pacific, makes it a particularly high value target for Beijing. While the dominant, most common pattern of Chinese cyber activity in Europe has focused on economic espionage or technology theft, reaching a NATO ally’s government and defense networks – such as the 2023 Chinese breach of a Dutch military network, the 2022 espionage campaign against Belgium’s Ministry of Defense, and the 2024 compromise of the U.K. Ministry of Defense payroll system – although not a new phenomenon, is a worrying sign.
Shadow-Earth-053 thus exemplifies Beijing’s maturing gray-zone playbook: one operation that simultaneously delivers intelligence, enforces political control, and sows alliance friction. As similar campaigns are bound to become more frequent, it underscores a core foreign policy challenge: how to deter gray-zone cyber operations that steadily erode strategic advantage and democratic norms.
Consequently, effective responses will require more than patching vulnerabilities. Governments must build faster real-time threat-sharing mechanisms within the Quad and NATO, adopt harmonized standards for protecting diaspora communities and exiled journalists, and impose tangible costs, through sanctions or diplomatic isolation, on digital transnational repression. Without these steps, Beijing will continue to exploit the seams between espionage, repression, and political warfare. Shadow-Earth-053 therefore is more than a technical incident. It underscores that cyberspace has become the primary arena where great-power competition and authoritarian control intersect, and where the rules remain dangerously unsettled.
