China-Linked APT Clusters Hit 8 Countries Including NATO State

Four distinct China-linked threat clusters are conducting coordinated campaigns against government entities, journalists, and civil society activists across eight countries, according to joint research from Trend Micro, Proofpoint, Citizen Lab, and Google Threat Intelligence Group. Poland is the only NATO member targeted, alongside seven Asia-Pacific nations.

The campaigns deploy a familiar toolkit—ShadowPad backdoors, Godzilla web shells, and Noodle RAT variants—but the targeting breadth and coordination between clusters suggests commercial entities hired by the Chinese state may be orchestrating activity.

The Threat Clusters

SHADOW-EARTH-053: Active since December 2024, this cluster exploits N-day vulnerabilities in Microsoft Exchange and IIS servers, primarily using the ProxyLogon chain. After gaining initial access, operators deploy Godzilla web shells for persistence and ShadowPad backdoors via DLL sideloading for command and control.

SHADOW-EARTH-054: A related intrusion set targeting overlapping victims, using similar TTPs but distinct infrastructure.

GLITTER CARP: Focused on digital impersonation schemes targeting journalists and civil society members, including Uyghur and Tibetan diaspora communities.

SEQUIN CARP: Conducting separate phishing operations with well-crafted social engineering against activists and dissidents.

Geographic Targeting

The campaigns span two continents:

Asia-Pacific: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan

Europe: Poland (the sole NATO member targeted)

Trend Micro's research notes the targeting pattern suggests intelligence collection priorities rather than opportunistic access. Government entities in each country appear specifically selected, with journalists and activists targeted for their connections to sensitive topics.

Attack Techniques

SHADOW-EARTH-053 and SHADOW-EARTH-054 rely heavily on web application vulnerabilities for initial access. Once inside, they deploy:

Tunneling tools: IOX, GOST, Wstunnel, and RingQ for maintaining covert communication channels through targeted networks.

Lateral movement: Custom RDP launchers and Sharp-SMBExec for spreading within compromised environments.

Privilege escalation: Mimikatz for credential harvesting from memory.

Linux targeting: Noodle RAT, a Linux variant distributed through React2Shell vulnerability exploitation (CVE-2025-55182).

The phishing clusters—GLITTER CARP and SEQUIN CARP—operate differently, relying on highly targeted social engineering rather than technical exploitation. Proofpoint researchers describe their approach as "well-thought-out digital impersonation schemes" designed to compromise specific individuals rather than achieve broad access.

Civil Society Targeting

The targeting of journalists, activists, and diaspora communities follows patterns documented by Citizen Lab over the past decade. These campaigns aim to identify sources, monitor communications, and potentially intimidate individuals critical of Chinese government policies.

Citizen Lab's involvement in the research indicates the civil society component represents a significant concern beyond the government targeting. Compromised journalist accounts can expose sources and enable follow-on targeting of their contacts.

Connection to Broader Campaigns

This activity coincides with a joint CISA-NCSC advisory on China-nexus covert networks released April 23, 2026. That advisory documented how groups like Volt Typhoon and Flax Typhoon use compromised SOHO routers and IoT devices to build persistent infrastructure for cyber operations.

The SHADOW-EARTH clusters appear to operate differently—compromising enterprise infrastructure directly rather than building covert relay networks—but the simultaneous disclosure suggests coordinated government and vendor intelligence sharing on Chinese cyber activities.

Defensive Recommendations

Organizations in targeted countries should prioritize:

Patch Exchange and IIS: The clusters rely heavily on ProxyLogon-chain vulnerabilities. Ensure Exchange servers are fully patched and consider additional hardening.

Monitor for web shells: Godzilla web shell deployment is a consistent pattern. File integrity monitoring on web-accessible directories can detect unauthorized additions.

DLL sideloading detection: ShadowPad delivery via DLL sideloading should trigger endpoint detection rules. Monitor for legitimate applications loading unexpected DLLs.

Network tunnel detection: Unusual outbound connections using tools like GOST or Wstunnel indicate potential compromise.

For civil society organizations, the phishing email examples guide provides training material for recognizing sophisticated social engineering. These campaigns succeed because the impersonation is convincing—often appearing to come from trusted colleagues or organizations.

Why This Matters

The coordination between four clusters across eight countries represents significant operational scope. While individual APT campaigns are routine, the breadth suggests either centralized tasking or commercial operators providing access-as-a-service to Chinese intelligence requirements.

Poland's inclusion as the sole NATO target raises questions about whether European expansion of these campaigns is imminent or whether Poland represents a specific intelligence priority related to its role in supporting Ukraine.

For targeted organizations, assume these groups have patience and resources. Detection often comes months after initial compromise, by which time significant data exfiltration may have occurred.