China-Linked SHADOW-EARTH-053 Hits Asian Govts, NATO State

Executive Summary

Trend Micro has identified a China-linked espionage campaign, tracked as SHADOW-EARTH-053, targeting government and defense entities across South, East, and Southeast Asia, as well as one European government that is a NATO member state. The campaign relies on spear-phishing emails delivering custom backdoors to exfiltrate sensitive data. No CVEs or specific malware family names were disclosed in the initial report.

Technical Analysis

According to Trend Micro's analysis, SHADOW-EARTH-053 operators use tailored spear-phishing lures that impersonate legitimate government or defense-related communications. The payloads include custom backdoors designed for persistent access and data exfiltration. The group's targeting spans multiple countries in Asia and at least one European NATO member, suggesting a broad intelligence-gathering mandate. Trend Micro has not yet published detailed IOCs or TTPs, but attributes the cluster to Chinese state-sponsored activity based on infrastructure, tradecraft, and targeting patterns. The temporary designation SHADOW-EARTH-053 indicates this is an active investigation with ongoing tracking.

Mitigations & Recommendations

Organizations in government and defense sectors across Asia and NATO member states should review inbound email for suspicious attachments or links, particularly those referencing regional security or diplomatic topics. Deploy email security gateways with sandbox analysis for unknown payloads. Enable endpoint detection and response (EDR) telemetry to identify anomalous process behavior associated with custom backdoors. Network segmentation can limit lateral movement if an initial compromise occurs.