China-Linked Hackers Target Asian Governments & NATO State

A sophisticated cyber-espionage campaign linked to China has been uncovered, targeting government and defence agencies across South, East, and Southeast Asia — plus one European country that is a member of NATO. Researchers have also found that journalists and activists are being targeted in the same operation. This isn’t just a story about governments and spies — it’s a reminder that digital surveillance campaigns can affect everyday people, including anyone who communicates with officials, works in sensitive industries, or speaks out on political issues.

What Is This Espionage Campaign and Who Is Behind It?

According to The Hacker News — a cybersecurity news platform followed by over 1.2 million people on LinkedIn — cybersecurity firm Trend Micro has identified and documented this new wave of targeted attacks. Trend Micro is tracking the group behind these attacks under the temporary name SHADOW-EARTH-053, a designation used until a more permanent label is assigned as the investigation develops.

The group is assessed to be aligned with Chinese state interests, though Trend Micro has not directly attributed the attacks to any specific government agency. What is clear is that this is not random or opportunistic hacking — it is a deliberate, well-funded intelligence-gathering operation aimed at specific targets across multiple countries and sectors.

The China-linked hackers espionage campaign uses a combination of custom malware, phishing emails, and legitimate-looking software to quietly gain access to systems — and then stay hidden for as long as possible. The goal is to steal sensitive information: government communications, defence plans, personal data of journalists, and contact lists of activists.

Who Is Being Targeted and Why Does It Matter?

The targets span a wide geography. Governments and defence organisations in South Asia (which includes India, Pakistan, Bangladesh, and Sri Lanka), East Asia (including Japan, South Korea, and Taiwan), and Southeast Asia (countries like Thailand, Vietnam, Malaysia, and Indonesia) have all been identified as targets. One unnamed NATO member government in Europe is also in the crosshairs.

Beyond governments, the campaign is going after journalists and activists — people who investigate, report on, or openly criticise policies connected to Chinese interests in the region. This is a pattern that has been seen in previous China-linked espionage operations and it is deeply concerning because it shows the reach of these campaigns goes far beyond official government buildings.

If you live in India, the UAE, Saudi Arabia, the UK, or the USA and you work in any of the following areas — journalism, civil society, international trade, government contracting, defence supply chains, or academic research related to Asia — this campaign is relevant to you. You may not be a direct target, but anyone in your contact list or email chain with someone who is targeted could inadvertently become part of the attack path.

India in particular is worth highlighting. As a major regional power with ongoing border tensions with China, and with a huge IT and government services sector, India has historically been one of the most frequently targeted countries in China-linked hackers espionage campaigns tracked by global cybersecurity firms.

How Do These Attacks Actually Work?

Understanding the method helps you protect yourself. Here is how campaigns like this typically operate, based on Trend Micro’s findings and prior similar operations:

• Spear-phishing emails: The hackers send highly personalised emails that look like they come from a trusted colleague, a government body, or a news organisation. These emails contain either a malicious attachment or a link to a fake but convincing website.
• Custom malware: Once someone clicks the link or opens the file, a piece of malware installs itself silently. This malware can record keystrokes, take screenshots, access files, and even turn on a device’s microphone or camera.
• Living off the land: The hackers also use legitimate tools already present on the victim’s computer — like Windows administration tools — to avoid triggering security alerts. This makes detection extremely difficult.
• Long-term persistence: The goal is not a smash-and-grab. These attackers want to stay inside a system for months or years, quietly collecting intelligence without being noticed.
• Targeting supply chains: If a direct target is too well-defended, hackers go after a vendor, contractor, or journalist who regularly communicates with that target — and use that access as a stepping stone.

This is exactly the kind of operation that Trend Micro and other researchers track closely. As reported by The Hacker News, Trend Micro’s analysis of SHADOW-EARTH-053 reveals a technically capable group that adapts quickly and reuses infrastructure across multiple campaigns.

5 Things You Can Do Right Now to Protect Yourself

Whether you work in government, media, activism, or simply care about your digital safety, these steps will meaningfully reduce your risk. For more detailed guidance, visit our how-to guides.

1. Turn on two-factor authentication (2FA) on every account. Even if a hacker gets your password through a phishing email, 2FA means they still cannot get into your account without a second code sent to your phone or generated by an app like Google Authenticator.
2. Think before you click any email link or attachment. If you receive an unexpected email — even from someone you know — and it asks you to open a file or click a link, verify with that person directly via a separate channel (like a phone call) before you do anything. Phishing is the number one entry point for campaigns like this.
3. Keep your devices and software updated. Many of the tools these hackers use exploit known security holes in outdated software. Turning on automatic updates for your operating system, browser, and all apps closes those doors quickly.
4. Use a reputable VPN, especially on public Wi-Fi. A VPN encrypts your internet traffic, making it much harder for anyone to intercept what you are doing online. This is especially important if you travel, work remotely, or regularly use café or hotel Wi-Fi.
5. Review your email and social media privacy settings. Make sure your professional email and LinkedIn profile do not publicly reveal your employer, your role in sensitive sectors, or your contact information in ways that make it easy for hackers to build a targeting profile on you.
6. Use end-to-end encrypted messaging apps. For sensitive conversations — especially if you are a journalist, activist, or work near government or defence — use apps like Signal instead of regular SMS or WhatsApp for the most sensitive exchanges.
7. Report suspicious emails to your IT team immediately. If you work for a company or government organisation and receive a suspicious email, do not delete it — report it. Security teams can use that information to protect the entire organisation.

Bottom Line

China-linked hackers espionage campaigns are growing in scope and sophistication, and this latest operation — uncovered by Trend Micro and reported by The Hacker News — shows that journalists, activists, and government-adjacent workers are just as much in the firing line as officials themselves. The good news is that basic digital hygiene — strong passwords, 2FA, and careful clicking — stops the vast majority of these attacks before they start. Stay alert, stay updated, and take five minutes today to check your account security settings.