Researchers from Trend Micro uncovered an ongoing cyberespionage campaign, tracked as Shadow-Earth-053, attributed to a China-aligned threat cluster targeting government, defense, and critical infrastructure organizations across South, East, and Southeast Asia, with spillover into at least one NATO member state. The campaign exploits known but unpatched vulnerabilities in internet-facing Microsoft Exchange and IIS servers to gain initial access, allowing attackers to establish long-term persistence inside victim networks using ShadowPad and related tooling.
The targeting scope extends beyond traditional state and military entities to include journalists and civil society activists, indicating a broader intelligence collection strategy that blends geopolitical surveillance with influence and monitoring operations. Affected sectors span government agencies, defense organizations, technology and transportation networks, alongside individuals reporting on China-related issues, highlighting a campaign that is both regionally concentrated and operationally diverse in its victim profile.
“Activity attributed to SHADOW-EARTH-053 has been traced back to at least December 2024, indicating the group has been operational for over a year. Our investigation yielded detailed insight into the attacker’s tactics, techniques, and procedures (TTPs), including the attack flow, initial access vectors, and covert communication channels,” Daniel Lunghi and Lucas Silva, wrote in a Trend Micro blog post last week. “In nearly half of the targeted environments, we observed significant overlaps in TTPs and malware usage consistent with another temporary intrusion set, SHADOW-EARTH-054. This intrusion set has some network overlaps with CL-STA-0049 by Unit 42 and REF7707 by Elastic, two other intrusion sets that also have overlaps with Earth Alux.”
They added that while these activities often occurred in the same networks, “the SHADOW-EARTH-054-related incidents frequently predated the deployment of ShadowPad implants by a few months. Despite this temporal gap, both intrusion sets share an arsenal of post-compromise tooling and the same initial access vector.”
Telemetry indicates the group relies on exploiting external services to gain an initial foothold in target networks, primarily by targeting server-based N-day vulnerabilities such as the ProxyLogon chain affecting Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). Despite their age, these flaws remain effective in unpatched environments.
Following initial compromise, the attackers install web shells, including GODZILLA, and deploy ShadowPad implants. These web shells function as persistent backdoors, enabling continued access and remote command execution on compromised systems.
Investigation indicates a clear geographic focus on governmental entities across Asia.
Most observed targets are concentrated in South, East, and Southeast Asia, including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. Despite this regional concentration, the activity extends beyond Asia, with at least one identified target in Poland, suggesting a primary strategic focus on Asian geopolitical interests alongside signs of opportunistic or expanding operations.
Beyond government entities, SHADOW-EARTH-053 also targets the technology sector, particularly IT consulting firms with government contracts. In multiple cases, these firms list ministries of defense among their clients, indicating an indirect pathway into sensitive environments. A smaller number of victims have also been identified in the transportation sector in Southeast Asia, pointing to limited but notable activity beyond core government and technology targets.
SHADOW-EARTH-053 uses Windows Management Instrumentation Command-line (WMIC) to move laterally, deploying backdoors and tooling across additional hosts. The activity also includes a suspected custom Remote Desktop Protocol launcher masquerading as smss.exe and the use of Sharp-SMBExec, a C# implementation of SMBExec, to execute commands remotely. In at least one environment, the group expanded access by copying web shells to internal Exchange servers over administrative shares, enabling rapid propagation without introducing new tooling and relying instead on existing credentials and compromised infrastructure.
Credential access and privilege escalation are central to the operation. The group uses Evil-CreateDump, a modified variant of Microsoft’s create-dump utility, to extract credentials from LSASS memory. Mimikatz is executed via rundll32.exe with commands targeting logon credentials and the local SAM database, with execution traced to the IIS worker process, confirming web shell–based control. A binary named newdcsync is also deployed, indicating likely use of DCSync techniques to obtain domain controller credentials.
For collection and exfiltration, the attackers deploy RAR to archive data, including password-protected files containing executive email content in PST format. In one case, access to an Exchange server was used to iteratively refine mailbox enumeration techniques, shifting from failed initial commands to more targeted queries that identified active, high-value accounts. The group also leveraged a custom ExchangeExport tool to extract mailbox data via the Exchange Web Services API, mirroring activity previously associated with Silk Typhoon.
Organizations can reduce their attack surface by tightening IIS configurations and monitoring for post-compromise behavior. The IIS worker process (w3wp.exe) should run with the lowest possible privileges, without administrative rights or the ability to write to arbitrary directories. Unnecessary IIS modules and handlers should be removed, and application whitelisting enforced to prevent the process from launching unauthorized binaries or script interpreters.
Presence of a web shell often results in anomalous process activity, which can be detected through EDR (endpoint detection and response) telemetry. Alerts should be configured for instances where the IIS worker process spawns command shells such as cmd.exe or powershell[dot]exe, or reconnaissance tools like whoami[dot]exe and net[dot]exe, as these are strong indicators of remote code execution. Unexpected outbound network connections initiated by the web server should also be monitored, as they may signal command-and-control activity.
Access to commonly abused staging directories should be restricted and closely monitored. These locations are frequently used by threat actors to drop and execute payloads due to their permissive write access, making them easy to exploit and often overlooked during routine security checks.
In conclusion, the researchers wrote that SHADOW-EARTH-053 is a persistent, methodical, China-aligned threat actor operating across Asia and beyond. By exploiting long-known but still-unpatched vulnerabilities in internet-facing Exchange and IIS servers, the group has successfully compromised government ministries, defense-adjacent contractors, and transportation organizations across at least eight countries, demonstrating that N-day vulnerabilities remain a viable and effective entry point even years after their disclosure.
“The relationship between SHADOW-EARTH-053 and SHADOW-EARTH-054 adds a further layer of complexity to the threat landscape,” they added. “While the two intrusion sets share tooling, initial access methods, and victim overlap, the available evidence points to independent exploitation of the same vulnerabilities rather than coordinated operation. This pattern underscores the scale and persistence of state-sponsored espionage activity targeting Asian government and critical infrastructure sectors.”
Organizations operating internet-facing Microsoft Exchange or IIS infrastructure, particularly in the affected regions, should treat this campaign as a strong signal to audit patch levels, review web shell detection capabilities, and scrutinize outbound traffic from web servers. The indicators of compromise and threat hunting queries provided in this report offer a practical starting point for identifying potential exposure.
