China Power | Security | East Asia

1 Campaign, 2 Targets: China’s Cyber Operations Hit Asian Governments and Dissidents Abroad

One track pursued traditional intelligence collection against Asian governments and defense entities; the other sought to surveil and silence overseas critics.

On May 1, cybersecurity researchers at Trend Micro disclosed a previously undocumented China-aligned espionage campaign that has infiltrated government and defense networks across much of Asia. Tracked as Shadow-Earth-053, the operation has been active since at least December 2024, and it has targeted ministries and contractors in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, as well as one European NATO member, Poland, along with journalists and diaspora activists.

What distinguishes this campaign from most other China-aligned cyber operations is its dual focus: one track pursued traditional intelligence collection against Asian governments and defense entities, while a parallel track, linked to activity clusters known as Glitter Carp and Sequin Carp, used highly targeted phishing to surveil and silence Uyghur, Tibetan, Taiwanese, and Hong Kong critics, as well as investigative journalists. These phishing operations relied on impersonation emails mimicking known individuals or technology company security alerts, embedding 1×1 tracking pixels – invisible images that notify the sender when the email has been opened and reveal the recipient’s device and approximate location – before directing victims to credential harvesting pages.

The primary espionage track exploited unpatched internet-facing Microsoft Exchange and IIS servers, including the ProxyLogon vulnerabilities. After gaining initial access, the attackers installed custom backdoors on the compromised servers, then planted sophisticated long-term espionage malware, often disguising it inside files that appeared completely legitimate. In one case, they exploited a previously unknown vulnerability to deploy a remote access tool on Linux systems. In parallel, two related phishing campaigns, Glitter Carp and Sequin Carp, began in April and June 2025 respectively. These campaigns focused on stealing email credentials or third-party access tokens from their targets.

The entire operation is being attributed to China-aligned actors, with the possible involvement of commercial contractors working on behalf of Chinese intelligence priorities. The campaign shares network infrastructure overlaps with previously tracked clusters and fits into a well-documented pattern of China-aligned activity that blends conventional state espionage with systematic transnational repression. Nearly half of its targets were also hit by a related operation designated Shadow-Earth-054, suggesting overlapping or coordinated Chinese intelligence priorities across multiple clusters.

Among the governments hit by Shadow-Earth-053, cyber defenses remain collectively modest and uneven. But that may matter less and less for China’s cyber operations. The disclosure of the campaign came mere days after the Netherlands’ military intelligence service reported that, as a result of China rapidly advancing its offensive cyber capabilities in recent years, it has reached parity with the United States. 

If this assessment is accurate, it would mean that China has achieved a central strategic goal set by President Xi Jinping, who since 2014 has made building China into a “cyber superpower” a core national priority – an ambition widely understood as seeking parity with, or even surpassing, the United States in cyberspace. This rapid progress has been driven by sustained increases in defense spending and major structural reforms. China’s 2026 defense budget rose 7 percent to approximately $275 billion, with explicit funding allocated for cyber capabilities as part of military modernization. 

Beijing has steadily professionalized and centralized its military cyber forces over the past decade. In 2015, as part of Xi Jinping’s major reforms to the People’s Liberation Army (PLA), China created the Strategic Support Force, which for the first time brought cyber, electronic warfare, and space capabilities under a single command. In 2024, China undertook another major military reorganization: it dissolved the Strategic Support Force and established a dedicated Cyberspace Force, allowing faster adaptation of tools and infrastructure throughout 2025. 

The new structure eliminated bureaucratic overlap between cyber, space, and electronic warfare........

© The Diplomat