A China-aligned threat cluster designated SHADOW-EARTH-053 has been conducting an espionage campaign against government and defense sectors across South, East, and Southeast Asia, as well as at least one European NATO member state, Trend Micro disclosed this week. The group has been active since at least December 2024, exploiting N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers as its initial access vector, then deploying ShadowPad implants for persistent, stealthy collection.
SHADOW-EARTH-053: What We Know So Far
Trend Micro's full report maps the group's activity across three operational phases.
Initial Access: SHADOW-EARTH-053 exploits N-day vulnerabilities in Microsoft Exchange and IIS servers — including the ProxyLogon chain (CVE-2021-26855 and related CVEs) — against internet-facing infrastructure. No zero-days have been attributed to this cluster. The reliance on patched-but-unpatched-in-field vulnerabilities is consistent with targeting government and defense organizations that operate on delayed patching cycles due to change management requirements.
Persistence: After initial access, the group deploys Godzilla web shells for a persistent foothold on the compromised server. ShadowPad implants are then staged via DLL sideloading of legitimate, signed executables — a technique that blends malicious payloads into trusted application processes, evading most AV and EDR signatures based on process integrity.
Lateral Movement and Collection: SHADOW-EARTH-053 uses Mimikatz for privilege escalation and credential harvesting, a custom RDP launcher for remote desktop pivoting, and Sharp-SMBExec (a C# implementation of SMBExec) for lateral movement within victim environments. The maintenance of a custom toolset indicates a developer-backed operation rather than opportunistic use of commodity malware.
Nearly half of SHADOW-EARTH-053's confirmed targets — particularly those in Malaysia, Sri Lanka, and Myanmar — were also previously compromised by a related cluster that Trend Micro designates SHADOW-EARTH-054. The two clusters share partial network infrastructure and overlap with Earth Alux, CL-STA-0049, and REF7707, suggesting coordinated intelligence tasking rather than independent operations.
The European NATO member target has not been publicly named, but its inclusion alongside Southeast Asian government and defense entities indicates the campaign has strategic intelligence objectives spanning both regional politics and Western security architecture. This is consistent with China's documented practice of simultaneous collection against Indo-Pacific partners and their Western allies.
Why SHADOW-EARTH-053 Matters
China-aligned espionage operations using ShadowPad have intensified since the malware was identified as a shared platform distributed among multiple PRC threat groups. Unlike commodity malware, ShadowPad is modular and continuously updated, making signature-based detection unreliable across campaigns.
SHADOW-EARTH-053's reliance on N-day Exchange and IIS exploits targets a large pool of government organizations that lag on patching — a well-understood structural vulnerability in public sector IT. Once inside, Godzilla web shells and DLL-sideloaded ShadowPad implants provide persistence that survives reboots and standard malware scanning.
The documented overlap with SHADOW-EARTH-054 and Earth Alux is operationally significant. Multiple clusters targeting the same countries and organizations likely share intelligence requirements from a common tasking authority. Defenders at organizations in the targeted geographies should treat this as a coordinated collection effort, not isolated intrusions.
SHADOW-EARTH-053: What You Should Do Now
- Patch Exchange and IIS immediately. ProxyLogon patches have been available since March 2021 — any Exchange server still exposed to CVE-2021-26855 should be treated as already compromised pending investigation. Run the Microsoft Exchange Health Checker to verify current patch and configuration status.
- Audit IIS directories for web shells. Use
Get-ChildItem -Recurseon IISwwwrootdirectories and compare file hashes against known-good baselines. Godzilla web shells commonly use.aspxor.ashxextensions with obfuscated payloads. Microsoft's web shell detection guidance provides specific indicators and search patterns.
- Monitor for DLL sideloading patterns. Alert on legitimate, signed executables loading DLLs from non-standard or user-writable paths. Windows Defender Application Control (WDAC) and EDR telemetry can identify this pattern. Specifically watch for signed vendor binaries loading unsigned DLLs from
%TEMP%,%APPDATA%, or application subdirectories.
- Alert on LSASS access from non-system processes. Mimikatz activity generates Sysmon Event ID 10 (process access to LSASS) from non-system processes. Alert on any non-system process accessing
lsass.exe, and flag creation ofLSASS.dmpfiles.
- Flag remote service installations. Sharp-SMBExec generates Windows Event ID 7045 (new service installed) from unexpected source hosts during lateral movement. Alert on service installations from non-management hosts.
Detection and Verification Checklist
- Verify Exchange and IIS patch levels against Microsoft's Security Update Guide — specifically confirm ProxyLogon CVEs are patched.
- Search IIS and Exchange web directories for
.aspx/.ashxfiles containing base64-encoded strings or eval-style execution patterns. - Review Windows Event Logs for Event ID 7045 (service installation) initiated from unexpected source hosts.
- Check Sysmon Event ID 10 logs for non-system LSASS access across all servers in the environment.
- Add SHADOW-EARTH-053 indicators from Trend Micro's report to your SIEM detection rules and EDR threat intelligence feeds.
— Sources: The Hacker News, Trend Micro, GBHackers, CybersecurityNews
For any query contact us at contact@cipherssecurity.com
