Key Takeaways
- The Shadow‑Earth‑053 campaign is a China‑aligned cyber‑espionage operation that has been active since at least December 2024, targeting government, defense, critical‑infrastructure, technology, transportation, journalists and civil‑society actors across South, East and Southeast Asia, with spill‑over into a NATO member state (Poland).
- Initial access is gained by exploiting long‑known, unpatched Microsoft Exchange/IIS vulnerabilities (the ProxyLogon chain CVE‑2021‑26855/‑26857/‑26858/‑27065).
- After compromise, the attackers deploy web shells (e.g., GODZILLA) and ShadowPad implants, use WMIC, Sharp‑SMBExec and a disguised RDP launcher for lateral movement, and harvest credentials via Evil‑CreateDump, Mimikatz and DCSync‑style tools.
- Data collection relies on RAR archiving, the custom ExchangeExport tool, and iterative mailbox enumeration to exfiltrate high‑value executive email (PST) files.
- Defenders should harden IIS (least‑privilege w3wp.exe, remove unnecessary modules, application whitelisting), monitor for anomalous IIS‑spawned processes, restrict write‑access to staging directories, and hunt for Indicators of Compromise (IOCs) related to web shells, ShadowPad, and credential‑dumping utilities.
Overview of the Shadow‑Earth‑053 Campaign
Trend Micro researchers identified an ongoing cyber‑espionage operation dubbed Shadow‑Earth‑053, attributed to a China‑aligned threat cluster. The campaign has been observed since at least December 2024, indicating more than a year of sustained activity. Its primary vector involves exploiting unpatched, internet‑facing Microsoft Exchange and Internet Information Services (IIS) servers to gain an initial foothold inside victim networks. Once inside, the attackers establish long‑term persistence using the ShadowPad backdoor and associated tooling, enabling continuous espionage and data theft.
Targeting Scope and Victim Profile
Shadow‑Earth‑053’s targeting extends beyond traditional state and military entities. The operation hits government agencies, defense organizations, technology firms (especially IT contractors with government contracts), transportation companies, journalists, and civil‑society activists who report on China‑related topics. This broad victim set reflects a dual intelligence‑collection strategy: geopolitical surveillance of strategic sectors combined with influence and monitoring operations aimed at shaping narratives and tracking dissent.
Timeline, TTPs, and Relation to Other Intrusion Sets
The researchers noted significant overlap in tactics, techniques, and procedures (TTPs) between Shadow‑Earth‑053 and a temporary intrusion set labeled Shadow‑Earth‑054, with nearly half of the compromised environments showing shared malware usage and attack flow. Both sets also intersect with other known clusters such as CL‑STA‑0049 (Unit 42) and REF7707 (Elastic), which in turn overlap with the Earth Alux intrusion set. While the activities often occur on the same networks, Shadow‑Earth‑054 incidents typically predate the deployment of ShadowPad implants by several months, suggesting independent exploitation of the same vulnerabilities rather than a tightly coordinated joint operation.
Initial Access via ProxyLogon Vulnerabilities
The core of the attack chain relies on exploiting N‑day vulnerabilities in Microsoft Exchange Server—specifically the ProxyLogon chain (CVE‑2021‑26855, CVE‑2021‑26857, CVE‑2021‑26858, CVE‑2021‑27065). Despite being disclosed years ago, these flaws remain effective in environments where patches have not been applied. Attackers scan for exposed Exchange/IIS servers, deliver malicious payloads through the vulnerabilities, and establish a foothold without needing zero‑day exploits.
Persistence: Web Shells and ShadowPad Implants
After achieving initial access, the threat actors install web shells—most notably GODZILLA—which act as persistent backdoors allowing remote command execution on compromised systems. In parallel, they deploy the ShadowPad modular malware, a sophisticated loader capable of downloading additional payloads, maintaining covert communication with command‑and‑control (C2) servers, and ensuring long‑term presence within the victim network. These mechanisms enable the attackers to survive reboots, patch cycles, and basic hygiene measures.
Lateral Movement, Privilege Escalation, and Credential Theft
To expand their reach inside compromised environments, the group uses Windows Management Instrumentation Command‑line (WMIC) to execute commands across hosts. They also employ a suspected custom RDP launcher that masquerades as smss.exe and the Sharp‑SMBExec tool—a C# implementation of SMBExec—to run commands remotely via SMB. In at least one case, web shells were copied to internal Exchange servers over administrative shares, facilitating rapid propagation using existing credentials.
Credential access is a central focus: the attackers run Evil‑CreateDump, a modified version of Microsoft’s create‑dump utility, to extract secrets from LSASS memory. Mimikatz is invoked through rundll32.exe targeting logon credentials and the local Security Accounts Manager (SAM) database, with execution traced to the IIS worker process (w3wp.exe), confirming web‑shell‑based control. Additionally, a binary named newdcsync is deployed, indicating the likely use of DCSync techniques to pull domain controller credentials and further elevate privileges.
Data Collection and Exfiltration Techniques
For information gathering, the attackers archive harvested data using RAR, often protecting files with passwords. They specifically target executive email stores, exporting mailbox contents in PST format. In one observed incident, access to an Exchange server enabled the attackers to iteratively refine mailbox enumeration—starting with failed queries and progressing to precise requests that identified high‑value accounts. The group also leverages a custom ExchangeExport tool that interacts with the Exchange Web Services (EWS) API to pull mailbox data, a tactic previously linked to the Silk Typhoon threat actor. Exfiltration is likely performed over encrypted or covert channels, blending with normal traffic to evade detection.
Geographic Focus and Sectoral Spread
Telemetry shows a clear geographic concentration on governmental entities across South, East, and Southeast Asia, with observed targets in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. Despite this regional focus, at least one victim has been identified in Poland, a NATO member state, indicating either opportunistic expansion or a broader strategic interest beyond Asia. Beyond government, the campaign hits the technology sector (especially IT consultancies with defense contracts) and a limited number of transportation organizations in Southeast Asia, demonstrating a layered approach that seeks both direct high‑value targets and indirect pathways via trusted suppliers.
Defensive Recommendations and Mitigations
Organizations can reduce their attack surface by hardening IIS configurations: the IIS worker process (w3wp.exe) should operate with the least necessary privileges, lacking administrative rights or unrestricted write access to arbitrary directories. Unneeded IIS modules and handlers ought to be removed, and application whitelisting enforced to block execution of unauthorized binaries or script interpreters.
Detection hinges on monitoring for anomalous behavior originating from the web server. Alerts should trigger when w3wp.exe spawns command shells (cmd.exe, powershell.exe), reconnaissance tools (whoami.exe, net.exe), or initiates unexpected outbound connections—signs of potential command‑and‑control activity. Additionally, restricting and auditing access to commonly abused staging directories (often permissive write locations) can prevent threat actors from dropping and executing payloads unnoticed. Employing endpoint detection and response (EDR) solutions to correlate these signals with known Indicators of Compromise (IOCs) related to GODZILLA, ShadowPad, Evil‑CreateDump, Mimikatz, and newdcsync will improve early discovery.
Conclusion and Implications
Shadow‑Earth‑053 exemplifies a persistent, methodical, China‑aligned espionage campaign that continues to leverage long‑known, unpatched vulnerabilities in Microsoft Exchange and IIS as a reliable entry point. By coupling these exploitable flaws with a robust arsenal of post‑compromise tools—web shells, ShadowPad, credential‑dumping utilities, and lateral‑movement scripts—the group has successfully penetrated ministries, defense‑adjacent contractors, technology firms, transportation networks, and even journalists across at least eight countries. The observed overlap with Shadow‑Earth‑054 and other intrusion sets underscores the scale and persistence of state‑sponsored actors targeting Asian governmental and critical‑infrastructure sectors.
For defenders, the lesson is clear: timely patching of Exchange/IIS, stringent privilege controls on web‑server processes, vigilant monitoring for anomalous IIS‑spawned activity, and proactive threat‑hunting using the supplied IOCs and queries are essential steps to mitigate risk. Treating this campaign as a strong signal to audit patch levels, review web‑shell detection capabilities, and scrutinize outbound traffic from web servers will help organizations close the gaps that Shadow‑Earth‑053 and similar threat actors continue to exploit.