What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

China's Q2 2026 APT Surge: Three New Groups, One Strategic Direction

← Threat Actor Profile

0 sources verified·9 min read

By Lyrie Cyber Research Division — Senior Analyst Desk·5/8/2026

TL;DR

Three distinct, newly documented China-aligned APT groups have been publicly surfaced within the span of two weeks in late April and early May 2026: GopherWhisper (ESET, April 23), SHADOW-EARTH-053 (Trend Micro, May 5), and the GLITTER/SEQUIN CARP dyad (Citizen Lab, May 5). Each cluster targets different verticals — Mongolian government, Asian defense/government across eight nations, and diaspora journalists/activists respectively — but collectively they reveal a coherent strategic escalation by China-nexus intelligence services across the entire geopolitical arc from Central Asia to Eastern Europe. The timing is not coincidence; it is operational breadth at scale.

Background: Why Three Groups in Two Weeks?

China's intelligence apparatus does not operate as a monolith. It is a distributed ecosystem of Ministry of State Security (MSS)-affiliated contractors, People's Liberation Army (PLA) units, and third-party "patriotic" hackers, each with distinct targets, tooling, and operational security postures. The pattern we observed in 2022–2024 — a handful of well-known brands like APT41, Volt Typhoon, and Salt Typhoon dominating headlines — masked a deeper proliferation of subordinate and parallel units operating below the noise floor.

Q2 2026 brought three of those subordinate groups into focus simultaneously, almost certainly because defenders hit the disclosure threshold on multiple independent investigations at once. What they share is more important than what separates them: a preference for legitimate cloud service abuse as a C2 channel, operational activity timestamps consistent with China Standard Time business hours, and targeting geographies that map directly to Beijing's core strategic interests (Central Asian resources, South/Southeast Asian trade corridors, diaspora suppression globally).

Technical Analysis

GopherWhisper: Go-Native Espionage Over Discord, Slack, and Outlook

Discovered by ESET researchers in January 2025 when an anomalous DLL (whisper.dll) was found on a Mongolian government system, GopherWhisper has been active since at least November 2023. The group is named for its near-exclusive use of Go-language tooling and the .dll filename that surfaced it.

ESET's full disclosure (April 23, 2026) revealed a seven-tool arsenal, all purpose-built:

|------|----------|------------|-----------------|

| JabGopher | Go | — | Injector; spawns LaxGopher in svchost.exe memory |

| FriendDelivery | DLL | — | Loader/injector for BoxOfFriends |

The draft-email C2 technique employed by BoxOfFriends deserves emphasis. Rather than sending messages that traverse email gateways and generate SMTP logs, the malware writes instructions into Outlook draft folders using Graph API calls authenticated with hard-coded credentials. The C2 operator reads drafts and writes responses — no email is ever transmitted, no SMTP log is generated, and the traffic is indistinguishable from legitimate Microsoft cloud sync. This approach (previously observed in groups like APT34/OilRig) is becoming a template for evading enterprise email security.

Timestamp analysis of the extracted Slack and Discord messages placed operational hours solidly between 08:00–17:00 China Standard Time (UTC+8). Slack metadata locale was also set to CST. ESET extracted thousands of messages from attacker-operated Slack workspaces and Discord servers — an intelligence windfall that gave unprecedented insight into GopherWhisper's internal operational tempo, volume of targets, and working cadence.

Confirmed infection: 12 systems within one Mongolian governmental institution. Estimated total victims from C2 traffic analysis: dozens more, geolocation and vertical unknown.

Initial access vector: not yet determined. No phishing lures, supply chain artifacts, or public exploit evidence have been tied to GopherWhisper yet.

China attribution confidence: High (TZ, locale, targeting of Mongolia — a geopolitically sensitive neighbor with rare earth mineral wealth China actively courts and contests).

SHADOW-EARTH-053: Exchange/IIS Exploitation Across Eight Nations

Trend Micro's SHADOW-EARTH-053 is a broader, more aggressive operator. Active since December 2024, this cluster has compromised government, defense, and diplomatic targets across Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland — a footprint that maps almost perfectly to China's Belt and Road Initiative (BRI) corridor nations, plus Taiwan (sovereignty dispute) and Poland (NATO state, Ukrainian supply chain transit hub).

Initial Access: Exploitation of N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers. The ProxyLogon chain (CVE-2021-26855, -26857, -26858, -27065) remains in active use against unpatched Exchange instances — a reminder that 2021's most severe Exchange vulnerability has not been fully remediated across enterprise environments globally.

Execution Chain:

1. Exchange/IIS exploit → Godzilla web shell deployment (persistent remote access)

2. Web shell used for reconnaissance, credential harvesting via Mimikatz

3. ShadowPad backdoor staged and loaded via DLL sideloading of AnyDesk (signed, trusted binary)

4. Lateral movement via custom RDP launcher + Sharp-SMBExec (C# implementation)

5. Tunneling via IOX, GOST (Go Simple Tunnel), and Wstunnel

6. Additional payloads packed with RingQ to evade AV detection

In at least one observed intrusion, CVE-2025-55182 (React2Shell) was used to deliver a Linux variant of Noodle RAT (aka ANGRYREBEL/Nood RAT) — the same Linux RAT Google's GTIG attributes to a cluster tracked as UNC6595.

Trend Micro also observed near half of SHADOW-EARTH-053's targets in Malaysia, Sri Lanka, and Myanmar were previously compromised by SHADOW-EARTH-054 — a related cluster, suggesting pre-positioned access sharing or operational handoff between units.

Overlap: SHADOW-EARTH-053 shares partial infrastructure with CL-STA-0049, Earth Alux (an existing China-nexus cluster), and REF7707 — confirming the distributed-but-connected model of Chinese APT operations.

GLITTER CARP & SEQUIN CARP: Transnational Repression at Scale

Citizen Lab's disclosure covers two less technically sophisticated but strategically alarming clusters targeting journalists, civil society, and ethnic minority diaspora communities (Uyghur, Tibetan, Taiwanese, Hong Kong).

GLITTER CARP (overlapping with Proofpoint's UNK_SparkyCarp) runs AiTM (Adversary-in-the-Middle) phishing against the International Consortium of Investigative Journalists (ICIJ), Taiwan's semiconductor industry, and Uyghur/Tibetan organizations. Key TTPs: impersonation of known individuals, tech company security alerts, 1×1 tracking pixels in phishing emails to fingerprint recipients before full lure delivery. GLITTER CARP re-uses the same domains and impersonated personas across multiple independent target sets — an indicator of centralized campaign management with distributed execution.

SEQUIN CARP (aka UNK_DualTone, UTA0388, TAOTH) conducts spear-phishing specifically targeting ICIJ journalists investigating Chinese government subjects, with the goal of OAuth token theft — specifically, convincing targets to grant access to third-party applications that then provide persistent access to email accounts without requiring ongoing credential use.

Both clusters focus on credential harvesting rather than host-based implant deployment, consistent with a targeting goal of monitoring and suppressing foreign-based reporting rather than technical espionage.

IOCs

GopherWhisper

Outlook account used for draft C2: barrantaya.1010@outlook[.]com (created 2024-07-11; likely burned post-disclosure)
Exfiltration endpoint: file[.]io (public REST API)
C2 channels: attacker-controlled Discord servers, Slack workspaces
DLL artifact: whisper.dll (LaxGopher)
Injector spawns LaxGopher into: svchost.exe

SHADOW-EARTH-053

Web shell: Godzilla (multiple variants)
Backdoor: ShadowPad (DLL sideloaded via AnyDesk)
Linux RAT: Noodle RAT / ANGRYREBEL
Tunneling: IOX, GOST, Wstunnel
Credential tools: Mimikatz
Lateral movement: Sharp-SMBExec, custom RDP launcher
Evasion packer: RingQ
CVEs exploited: ProxyLogon chain (CVE-2021-26855, -26857, -26858, -27065), CVE-2025-55182

GLITTER/SEQUIN CARP

Technique: AiTM phishing kits, OAuth token harvesting
Infrastructure: shared domains across multiple targeted organizations
Tracking mechanism: 1×1 pixel beacons on attacker-controlled domains
Targets: ICIJ, Uyghur/Tibetan/Hong Kong diaspora groups, Taiwan semiconductor contacts

Lyrie Take

These three disclosures in 14 days are not a coincidence of the publishing calendar — they reflect the maturation of a threat intelligence pipeline that is finally catching up with a Chinese APT ecosystem that has been proliferating at a rate faster than the public record acknowledged.

What they collectively demonstrate is a three-layer intelligence architecture:

1. Technical espionage layer (GopherWhisper, SHADOW-EARTH-053): government and defense sector penetration for strategic intelligence on BRI partners, territorial adversaries (Taiwan), and NATO logistics nodes (Poland).

2. Operational infrastructure sharing layer (SHADOW-EARTH-053/054 overlap, SHADOW/Earth Alux/REF7707 connections): units share pre-positioned access, reducing individual exposure and enabling deniable handoffs.

3. Information control layer (GLITTER/SEQUIN CARP): suppression of foreign-based investigative journalism and diaspora communication — a capability that serves internal Chinese political stability goals rather than military intelligence.

The convergence on Living-Off-Trusted-Services (LOTLaaS) is the most tactically significant trend. When your C2 traffic is Microsoft Graph API calls to Outlook drafts, or Slack webhook JSON, or Discord API messages — it is functionally invisible to most enterprise security stacks, which are tuned to inspect binaries and network anomalies, not saas-to-saas API call frequency. The bar for detection moves from signature-based AV to behavioral analytics on legitimate cloud service usage, which most organizations are not running.

For Lyrie customers: the detection gap for LOTLaaS-based C2 is exactly the kind of blindspot that Lyrie's platform is architected to close through API-level behavioral telemetry rather than endpoint-only inspection. GopherWhisper's BoxOfFriends channel — legitimate Graph API calls, legitimate credentials, zero malware signatures — would have been invisible to 97% of deployed enterprise security tooling. That is the problem we exist to solve.

Defender Playbook

For GopherWhisper-class LOTLaaS threats:

[ ] Enable Microsoft 365 Unified Audit Logging and alert on Graph API calls originating from non-corporate devices or IP ranges outside expected geographies
[ ] Monitor for Outlook draft creation events (Operations: Create, Update on MailboxFolder Drafts) at anomalous volumes or from suspicious clients
[ ] Block file.io at the web gateway or DNS resolver as a preventative measure; it has no legitimate internal business use for most enterprises
[ ] Audit Slack and Discord OAuth app installations in your tenant; revoke any that pre-date documented approval
[ ] Implement DLL sideloading detection (monitor for signed executables loading unsigned DLLs from non-standard paths — specifically watch for whisper.dll pattern)

For SHADOW-EARTH-053-class Exchange/IIS attacks:

[ ] Emergency: audit all internet-facing Exchange and IIS instances for ProxyLogon patch status; CVE-2021-26855 remains in active exploitation 5 years post-disclosure — this is inexcusable
[ ] Deploy IPS/WAF virtual patching rules for ProxyLogon chain and CVE-2025-55182 React2Shell as interim measures for any server that cannot be immediately patched
[ ] Scan for Godzilla web shell artifacts (multiple detection signatures available via Sigma/Yara repos)
[ ] Monitor AnyDesk for unexpected DLL loads — it is being abused for ShadowPad sideloading
[ ] Threat hunt for RingQ-packed binaries using entropy analysis on process-injected memory

For GLITTER/SEQUIN CARP-class phishing:

[ ] Enforce hardware-backed MFA (FIDO2) for all accounts; AiTM kits are trivially defeated by passkey-class authentication
[ ] Audit third-party OAuth application grants and revoke any that have mail read permissions without documented business justification
[ ] Enable 1×1 pixel tracking protection / tracking pixel stripping in enterprise email clients
[ ] Conduct targeted awareness for journalists and civil society organizations covering China-sensitive topics — they are active targets, not hypothetical ones

Sources

1. ESET Research — "GopherWhisper: A Burrow Full of Malware" (April 23, 2026): https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/

2. The Hacker News — "China-Linked GopherWhisper Infects 12 Mongolian Government Systems" (April 23, 2026): https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html

3. SecurityWeek — "China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks" (April 23, 2026): https://www.securityweek.com/china-linked-apt-gopherwhisper-abuses-legitimate-services-in-government-attacks/

4. The Hacker News — "China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists" (May 5, 2026): https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html

5. Trend Micro — "Inside SHADOW-EARTH-053": https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html

6. Citizen Lab — "How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression": https://citizenlab.ca/research/how-chinese-actors-use-impersonation-and-stolen-narratives-to-perpetuate-digital-transnational-repression/

7. CYFIRMA Weekly Intelligence Report — May 1, 2026: https://www.cyfirma.com/news/weekly-intelligence-report-01-may-2026/

8. GlobeNewswire ESET Press Release (April 23, 2026): https://www.globenewswire.com/news-release/2026/04/23/3279634/

Lyrie.ai Cyber Research Division — Senior Analyst Desk