# China-Linked Hackers Hit Asian Governments and Poland With ShadowPad *Friday, May 1, 2026 at 4:06 PM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-01T16:06:19.759Z (3h ago) **Category**: cyber | **Region**: Asia **Importance**: 8/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/2257.md **Source**: https://hamerintel.com/summaries --- **Deck**: Security researchers reported on May 1, 2026, that China-linked threat actors exploited Microsoft Exchange and IIS vulnerabilities to deploy the ShadowPad backdoor against multiple Asian governments and Poland, a NATO member. Parallel phishing campaigns targeted journalists and activists, pointing to a dual focus on state and civil society surveillance. ## Key Takeaways - On May 1, 2026, new research detailed China-linked cyber operations against several Asian governments and Poland using ShadowPad malware. - Attackers exploited Exchange and IIS vulnerabilities to gain persistent access to government networks. - In parallel, coordinated phishing campaigns targeted journalists and activists across the region. - The campaigns underscore Beijing-aligned operators’ twin priorities: strategic state espionage and monitoring of civil society and information flows. On May 1, 2026, cybersecurity analysts disclosed that China-linked threat actors have been conducting a series of sophisticated intrusion campaigns against government networks across Asia and at least one NATO state, Poland. The operations leveraged vulnerabilities in Microsoft Exchange and Internet Information Services (IIS) to deploy ShadowPad, a modular backdoor widely associated with Chinese state‑sponsored activity. Simultaneously, separate but related phishing efforts have been targeting journalists and human rights activists, indicating a broad intelligence collection mandate. ShadowPad has emerged over the past decade as a favored tool for long‑term espionage campaigns emanating from China‑aligned groups. Its modular design allows operators to selectively load capabilities for credential theft, lateral movement, data exfiltration, and command‑and‑control obfuscation. In the newly reported incidents, attackers appear to have exploited unpatched or poorly secured Exchange and IIS servers as initial access points, then installed ShadowPad to maintain covert presence inside sensitive government environments. The victims include multiple unnamed Asian governments and at least one European target: Poland, a NATO member. Targeting Poland is particularly noteworthy given its frontline role in supporting Ukraine, hosting NATO infrastructure, and serving as a logistics hub for military assistance flows. Compromising Polish government networks could provide valuable insight into alliance decision‑making, defense planning, and sanctions implementation. In parallel with these government intrusions, the same or closely related operators are reported to be running extensive phishing campaigns against journalists and activists across the region. These operations use socially engineered emails and look‑alike domains to harvest credentials or deliver malware to individuals who shape public narratives or expose human rights abuses. By combining state‑level espionage with civil society monitoring, the threat actors can map both formal decision‑making structures and informal information ecosystems. Technically, the campaigns highlight the persistent exploitation of well‑documented vulnerabilities in widely deployed software, underscoring patch management and configuration weaknesses in public agencies. They also illustrate the evolving tradecraft of Chinese‑aligned groups, which increasingly blend advanced custom tools like ShadowPad with commodity techniques such as phishing and password spraying. The dual‑track targeting of governments and non‑state actors aligns with Beijing’s broader interest in political stability, regional influence, and control over narratives around sensitive issues. For affected governments, the intrusions pose both tactical and strategic risks. In the near term, attackers could access sensitive diplomatic cables, defense planning documents, or personal data on officials, enabling intelligence insights or potential coercion. Over longer horizons, persistent access allows for shaping operations, such as selectively leaking or manipulating data to influence domestic politics or international negotiations. ## Outlook & Way Forward In the immediate future, incident response teams in affected countries will need to identify compromised systems, evict ShadowPad and related tooling, and assess the scope of data exfiltration. Given ShadowPad’s track record of stealth and persistence, thorough forensic work and possible network rebuilds may be required. Coordination among national cyber defense agencies and international partners, including NATO’s Cooperative Cyber Defence Centre, will be critical to share indicators of compromise and hardening guidance. Strategically, these revelations will likely intensify calls within NATO and key Asian states for a more unified approach to deterring and responding to state-linked cyber espionage. While such operations fall below the threshold of armed attack, they erode trust and can feed into broader geopolitical tensions, particularly in the context of disputes over Taiwan, South China Sea activities, and support for Ukraine. Policy responses may include public attribution, targeted sanctions, restrictions on technology exports, and expanded joint cyber exercises. Civil society actors—journalists and activists—will require dedicated support, including security training, provision of secure communication tools, and improved incident reporting channels. Their compromise can have outsized impacts on transparency, human rights monitoring, and public debate. Analysts should watch for additional attributions by national cyber agencies, any formal diplomatic protests directed at Beijing, and whether alliance documents begin to more explicitly link cyber espionage patterns to collective defense planning.