China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists Using ShadowPad and Noodle RAT

Google Threat Intelligence Group attributed a campaign by cluster SHADOW-EARTH-053 (UNC6595) to China-linked actors targeting Asian governments, Poland (a NATO state), journalists, and activists. The campaign uses Exchange/IIS exploits and the ShadowPad backdoor, with GLITTER CARP and SEQUIN CARP phishing campaigns against journalists and activists. The group also weaponized React2Shell (CVE-2025-55182) to distribute the Linux Noodle RAT, expanding Chinese state-sponsored espionage to Linux targets.