Shadow-Earth-053

SHADOW-EARTH-053 is a China-aligned intrusion cluster and cyberespionage campaign tracked by Trend Micro/TrendAI. It has been active since at least December 2024 and has targeted government agencies, ministries, defense-adjacent contractors, defense contractors, critical infrastructure organizations, technology firms, transportation entities, and IT consulting firms. Reported victim countries include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland, with the campaign primarily focused on South, East, and Southeast Asia and at least one victim in a European NATO member state. The group gains initial access by exploiting unpatched internet-facing Microsoft Exchange Server and IIS systems, including the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). After exploitation it deploys GODZILLA web shells, including ASPX and ASHX variants, for persistence, command execution, and reconnaissance. SHADOW-EARTH-053 then deploys ShadowPad using DLL sideloading chains built around legitimate signed executables, including GameHook.exe, imecmnt.exe, xReport.exe, LUManager.EXE, and a renamed Toshiba Bluetooth Stack executable, CIATosBtKbd.exe, which sideloads TosBtKbd.dll. In observed cases, the loader retrieved encrypted payloads from Windows Registry keys under HKEY_CURRENT_USER\Software[ComputerName], allocated executable memory, and executed shellcode via EnumDesktopsA callback injection. Persistence included a scheduled task named M1onltor configured to run every five minutes with elevated privileges. Post-compromise activity included reconnaissance through compromised IIS worker processes; domain controller and domain admin discovery; LDAP enumeration; csvde.exe exports; PowerView-based user enumeration; internal Exchange discovery; mailbox enumeration and export via a custom ExchangeExport tool using Exchange Web Services; credential theft with Mimikatz, Evil-CreateDump, and newdcsync; and lateral movement using WMIC, Sharp-SMBExec, custom RDP tooling, and propagation of web shells to internal Exchange servers over administrative SMB shares. The group also used multiple tunneling and proxy tools, including IOX Proxy, GOST, Wstunnel, and tunnel-core.exe variants, and used RingQ to pack binaries and evade detection. Researchers also observed renamed legitimate Windows binaries to evade process-based detection. In some intrusions, AnyDesk was used to deploy ShadowPad. Separate reporting also noted Linux NoodleRat deployment following exploitation of React2Shell (CVE-2025-55182), though attribution of those samples to SHADOW-EARTH-053 was stated with low confidence in one report. Trend Micro reported significant overlap with the related cluster SHADOW-EARTH-054, including shared victims, identical tool hashes, overlapping TTPs, and exploitation of the same vulnerabilities, but stated there was no evidence of direct operational coordination and assessed the overlap as likely reflecting parallel exploitation of the same exposed environments. Related overlaps were also noted with activity tracked elsewhere as CL-STA-0049, REF7707, and Earth Alux. Separate reporting linked parallel phishing activity targeting journalists and diaspora activists from Uyghur, Tibetan, Taiwanese, and Hong Kong communities to clusters named Glitter Carp and Sequin Carp as part of the broader campaign context. Those operations used impersonation emails, fake security alerts, 1x1 tracking pixels, and credential-harvesting pages. The overall activity is described as aligned with Chinese intelligence priorities and focused on espionage and, in some reporting, intellectual property theft.