A highly coordinated cyberespionage campaign is currently sweeping across Asia and parts of Europe, targeting government agencies and critical infrastructure. Tracked as SHADOW-EARTH-053, this China-aligned threat group has been active since at least December 2024, operating with a level of stealth that suggests a long-term strategic mission. +1
Security researchers from Trend Micro, Daniel Lunghi and Lucas Silva, recently disclosed that the group has successfully infiltrated organizations in at least eight countries, including a NATO member state (Poland). By combining classic malware with modern “living-off-the-land” techniques, the attackers have maintained a persistent presence inside some of the world’s most sensitive networks.
Initial Access: Exploiting the “ProxyLogon” Legacy
Despite years of warnings, the attackers continue to find success by exploiting unpatched Microsoft Exchange and Internet Information Services (IIS) servers.
The primary entry point remains the ProxyLogon vulnerability chain (CVE-2021-26855 through CVE-2021-27065). Once they breach the perimeter, the group deploys the GODZILLA web shell, a sophisticated backdoor that allows them to maintain persistent access and execute remote commands without triggering traditional file-based alerts. +1
The Multi-Stage Toolkit: ShadowPad and Beyond
The hallmark of this campaign is the use of ShadowPad, a modular backdoor famously shared among various China-linked threat actors. However, SHADOW-EARTH-053’s deployment strategy is uniquely evasive:
- DLL Sideloading: The group abuses legitimate, signed executables from trusted vendors like Toshiba, Samsung, and Microsoft. They place a malicious DLL alongside the real program; when the program runs, it unknowingly loads the malware. +1
- Registry-Based Payloads: To avoid detection by antivirus scanners looking for suspicious files, the ShadowPad payload is often hidden within an encrypted Windows Registry key. It only exists in the system’s memory during execution.
- Covert Tunneling: The group uses the IOX proxy and open-source tools like GOST and Wstunnel to create encrypted SOCKS5 or HTTPS tunnels, masking their data exfiltration as normal web traffic.
Regional Overlap: SHADOW-EARTH-053 vs. 054
Interestingly, researchers found that nearly half of the victims were also targeted by a related cluster, SHADOW-EARTH-054. While the two groups share identical tool hashes and overlapping methods, they appear to operate independently. In some cases, one group would exploit a server months after the other, suggesting that unpatched government servers in the region are being treated as a “shared resource” by various espionage units. +1
Confirmed Target Regions:
- Asia: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan
- Europe: Poland (NATO Member)
Defensive Recommendations: Closing the Backdoor
For organizations running on-premise Exchange or IIS servers, the threat is immediate. Security teams should prioritize the following actions:
- Emergency Patching: Verify that all Exchange servers are patched against the ProxyLogon and ProxyShell vulnerability chains. If patching is delayed, use a Web Application Firewall (WAF) with virtual patching rules.
- Audit IIS Worker Processes: Monitor for
w3wp.exespawning unusual child processes likecmd.exe,powershell.exe, or reconnaissance tools likeMimikatz. - Monitor Staging Directories: Scrutinize any new files created in
C:\Users\PublicorC:\ProgramData, as these are the group’s preferred areas for staging malware. - File Integrity Monitoring (FIM): Alert on any unauthorized modifications to
.aspxor.jspfiles within web directories, which could indicate a web shell installation.
