China-aligned group exploits Exchange, IIS flaws across Asian governments

A China-aligned threat actor is conducting a sustained cyberespionage campaign against government, defense, and critical infrastructure targets across Asia, exploiting known vulnerabilities in Microsoft Exchange and Internet Information Services (IIS) platforms. Trend Micro researchers have designated the operation Shadow-Earth-053.

The campaign leverages publicly disclosed flaws in widely deployed enterprise systems to gain initial access. Exchange servers, which handle email and collaboration for many government and corporate networks, remain a persistent attack surface when patch cycles lag. IIS, Microsoft's web server platform, is similarly ubiquitous in enterprise environments. The targeting pattern—government ministries, defense contractors, and operators of essential services—indicates intelligence collection rather than financial motive.

The operation reflects a familiar pattern: state-aligned actors exploiting the gap between vulnerability disclosure and organizational remediation. Trend Micro's attribution to a China-aligned cluster is based on tactics, infrastructure, and targeting priorities consistent with previous campaigns linked to Beijing's strategic intelligence requirements. The focus on Asian nations aligns with regional geopolitical competition and China's long-documented interest in defense technology and critical infrastructure mapping.

• 01Asian government and defense entities face elevated risk of data exfiltration and persistent network access.
• 02Critical infrastructure operators must audit Exchange and IIS patch status immediately.
• 03Intelligence services should review Shadow-Earth-053 indicators for retrospective compromise detection.
• 04Vendors supporting targeted sectors should expect increased scrutiny of supply chain security.