Shadow-Earth-053 Espionage Campaign Exploiting Legacy Microsoft Infrastructure

Security researchers have identified a sophisticated, multi-stage espionage campaign orchestrated by a China-aligned threat actor designated as SHADOW-EARTH-053.

Since at least December 2024, this group has been actively targeting high-value sectors, including government institutions, critical infrastructure, and defense-adjacent IT providers across South, East, and Southeast Asia. Notably, the campaign’s reach extends beyond Asia, with confirmed activity against at least one NATO member state in Europe.

The campaign exhibits a strategic focus on supply-chain compromise. By targeting IT consulting firms that hold sensitive government contracts—specifically those servicing Ministries of Defense—the actors gain indirect access to the most secure networks in their target regions.

Technical analysis by TrendAI Research suggests a complex relationship between this group and a related intrusion set, SHADOW-EARTH-054. While nearly half of the victims show signs of prior compromise by SHADOW-EARTH-054, the overlapping tool hashes and identical techniques suggest these may be independent operations leveraging the same playbook rather than a single, tightly synchronized command structure.

Timeline of SHADOW-EARTH-053 and SHADOW-EARTH-054 activities (Source : TrendAI).
Timeline of SHADOW-EARTH-053 and SHADOW-EARTH-054 activities (Source : TrendAI).

Initial Access: The Persistence of N-Day Vulnerabilities

The primary entry vector for SHADOW-EARTH-053 involves the exploitation of “N-day” vulnerabilities—well-known bugs that remain unpatched in legacy or poorly maintained environments. The group heavily relies on the ProxyLogon vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) targeting internet-facing Microsoft Exchange and IIS servers.

Once a foothold is established, the actors deploy ASP.NET web shells to maintain persistent remote command execution. Common variants include the GODZILLA web shell, often masquerading under innocuous filenames such as error.aspx, warn.aspx, TimeinLogout.aspx, and tunnel.ashx. These shells typically run under the IIS worker process (w3wp.exe), serving as the foundation for the subsequent intrusion stages.

The group has also demonstrated operational flexibility by utilizing newer entry vectors, such as the exploitation of the “React2Shell” vulnerability (CVE-2025-55182), and delivering ShadowPad samples via remote access tools like AnyDesk.

Internal Reconnaissance and Payload Deployment

Post-compromise, the attackers move quickly to map the internal environment. Operating directly from the web shell, they conduct extensive Active Directory (AD) and Exchange reconnaissance. This includes:

  • Domain Enumeration: Utilizing nltest for domain controller discovery.
  • AD Data Exfiltration: Using csvde to export directory information.
  • User Mapping: Leveraging PowerView’s Get-DomainUser to identify high-value mailboxes.
  • Host Scanning: Deploying a custom, lightweight binary named DomainMachines.exe to scan for high-value systems over SMB, RDP, and Kerberos ports.
SHADOW-EARTH-053 and SHADOW-EARTH-054 targets (Source : TrendAI).
SHADOW-EARTH-053 and SHADOW-EARTH-054 targets (Source : TrendAI).

Malware Analysis: ShadowPad and DLL Sideloading

The centerpiece of this campaign is ShadowPad, a modular backdoor frequently linked to China-nexus actors like APT41. To evade traditional endpoint detection, SHADOW-EARTH-053 employs sophisticated DLL sideloading techniques. They utilize legitimate, digitally signed executables from trusted vendors—such as Microsoft and Samsung—to load malicious payloads. In one specific instance, a Toshiba Bluetooth binary (renamed CIATosBtKbd.exe) was used to sideload TosBtKbd.dll, which subsequently fetches shellcode from the Windows registry.

For lateral movement and network tunneling, the group utilizes a suite of proxy tools:

  • IOX: Used in conjunction with LocalAccountTokenFilterPolicy modifications to facilitate Pass-the-Hash attacks.
  • GOST and Wstunnel: Deployed from C:\Users\Public to establish redundant SOCKS and HTTPS tunnels to their Command-and-Control (C2) infrastructure.

Lateral Movement and Credential Harvesting

The attackers utilize Windows Management Instrumentation Command-line (WMIC) to push tools and backdoors to new hosts. They also employ Sharp-SMBExec and a suspected custom RDP launcher disguised as smss.exe. In some sophisticated maneuvers, the group has been observed propagating web shells to internal Exchange servers via administrative shares, effectively expanding their footprint without needing to download new, detectable implants.

To escalate privileges and harvest credentials, the group utilizes:

  • Evil-CreateDump: A modified version of Microsoft’s create-dump.exe used to dump LSASS memory.
  • Mimikatz: Executed via rundll32 from the IIS worker process.
  • newdcsync: A custom binary designed for DCSync-style attacks, allowing the theft of replication secrets directly from Domain Controllers.
Attribution overlap diagram showing connections between SHADOW-EARTH-054, CL-STA-0049, Earth Alux, and REF7707 (Source : TrendAI).
Attribution overlap diagram showing connections between SHADOW-EARTH-054, CL-STA-0049, Earth Alux, and REF7707 (Source : TrendAI).

Evasion and Defense Recommendations

To remain undetected, SHADOW-EARTH-053 employs the RingQ packer, utilizes domains that mimic security products, and renames standard system tools (like net.exe and PowerShell) to randomized .log filenames. There is also emerging, albeit low-confidence, evidence suggesting the group is experimenting with cross-platform capabilities via Linux NOODLERAT samples.

Defensive Priorities:

For organizations within the government, defense, or critical infrastructure sectors, this campaign highlights several critical security imperatives:

  1. Aggressive Patch Management: Prioritize the patching of all internet-facing Microsoft Exchange and IIS instances.
  2. Web Shell Hunting: Implement proactive hunting for unusual .aspx or .ashx files in web directories and monitor the w3wp.exe process for anomalous child processes.
  3. Monitor Lateral Movement: Audit the use of WMIC, administrative share access, and unauthorized RDP execution.
  4. Registry Integrity: Watch for unusual registry-resident payloads and modifications to LocalAccountTokenFilterPolicy.

Related Articles

Back to top button