CHINA-LINKED PHISHING OPERATIONS TARGET JOURNALISTS AND DIASPORA ACTIVISTS: “GLITTER CARP” AND “SEQUIN CARP” CAMPAIGNS DEPLOY 100+ MALICIOUS DOMAINS IN TRANSNATIONAL REPRESSION MODEL

Threat Summary

Category: Cyber Espionage / Phishing / Information Operations
Features: Multi-domain phishing infrastructure, persona impersonation, credential harvesting, diaspora targeting, journalist surveillance
Delivery Method: Email phishing, WhatsApp outreach, impersonation campaigns, fake login portals
Threat Actor: China-linked contractors (GLITTER CARP, SEQUIN CARP clusters)

---

Two coordinated phishing campaigns attributed to China-linked threat actors have targeted journalists, activists, and diaspora communities over a sustained operational window, leveraging more than 100 malicious domains to conduct credential harvesting and surveillance-driven intrusion attempts.

The campaigns, identified as GLITTER CARP and SEQUIN CARP, focused on individuals connected to politically sensitive regions and reporting networks, including members of Tibetan, Taiwanese, Hong Kong, and Uyghur communities. Journalists affiliated with investigative reporting organizations were also directly targeted, indicating alignment with intelligence-gathering objectives tied to state-level interests.

The operational model relies on impersonation, staged communication, and credential capture rather than direct exploitation of system vulnerabilities. Initial contact often occurs through messaging platforms such as WhatsApp, where attackers pose as trusted individuals to establish credibility. Targets are then directed to phishing-controlled domains designed to replicate legitimate login interfaces, particularly Google account authentication portals.

In observed cases, targets received follow-up communications designed to reinforce the legitimacy of the attack sequence, including impersonated security alerts. These layered interactions increase the likelihood of credential submission and extend engagement windows.

GLITTER CARP operates with scale and persistence, deploying broad targeting strategies across large groups of individuals, including those with indirect or peripheral connections to targeted communities. The campaign reflects high-volume execution, prioritizing reach and access over concealment.

SEQUIN CARP demonstrates a more focused approach, concentrating on journalists and investigative personnel through the use of tailored personas and extended social engineering interactions. While the campaign invests heavily in identity construction, it shows limitations in operational adaptability when initial intrusion attempts fail.

The campaigns are assessed to support follow-on operations, including account compromise, monitoring of communications, and potential access to sensitive reporting or advocacy networks.

---

Infrastructure at Risk

• Personal and organizational email accounts (Google-based platforms)
• Journalist communication networks and investigative workflows
• Messaging platforms used for initial outreach (e.g., WhatsApp)
• Diaspora advocacy organizations and their internal communications
• Devices linked to compromised credential ecosystems

Exposure is elevated for individuals operating across international advocacy, journalism, and policy reporting environments.

---

Policy / Allied Pressure

The campaigns reflect a broader pattern of transnational digital targeting involving diaspora communities and independent media actors. The use of third-party contractors introduces operational separation between state objectives and execution, complicating attribution and response.

This model reduces cost barriers to sustained targeting operations and expands the scope of potential victims beyond traditional intelligence priorities.

The targeting of journalists and civil society actors introduces direct implications for press integrity, information flow, and international reporting networks.

---

Vendor Defense / Reliance

Mitigation depends on:

• Strong credential protection, including multi-factor authentication
• Detection of domain impersonation and phishing infrastructure
• Monitoring for unusual login attempts and authentication anomalies
• User-level awareness of impersonation tactics across messaging platforms
• Endpoint inspection for potential follow-on compromise

Traditional perimeter defenses offer limited protection against attacks initiated through trusted communication channels and social engineering pathways.

---

Forecast — 30 Days

• Continued expansion of phishing infrastructure using disposable domains
• Increased targeting of journalists covering geopolitical or national security topics
• Broader deployment of impersonation campaigns across messaging platforms
• Further use of contractor-based operations to obscure attribution
• Rising pressure on diaspora communities through coordinated digital targeting

---

TRJ Verdict

This is not random phishing. It is structured targeting with intent.

GLITTER CARP and SEQUIN CARP reflect a distributed operational model where access is pursued through identity, not intrusion. The attacker does not break into systems. The attacker is invited in through trust, familiarity, and repetition.

The use of more than 100 domains is not excess. It is redundancy. When one path fails, another remains active. When one identity is exposed, another is already in position.

The shift toward contractor-led operations introduces a controlled layer of separation between directive and execution. Attribution becomes blurred, but outcomes remain consistent.

Journalists and diaspora networks are not being scanned. They are being selected.

Credential theft is the entry point. Surveillance is the objective.

The compromise is not limited to a system. It extends to communication, trust, and the ability to operate without interference.

That is where the real impact resides.

---

---

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---

---