APT & Targeted Attacks Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. By: Daniel Lunghi, Lucas Silva Apr 30, 2026 Read time: ( words) Save to Folio Key takeaways A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, as well as one NATO member state. We are currently tracking this activity under the temporary intrusion set designation SHADOW-EARTH-053. Nearly half the targets were also compromised by a related intrusion set (SHADOW-EARTH-054), sharing identical tool hashes and overlapping TTPs, though evidence suggests independent exploitation of the same vulnerabilities rather than direct operational coordination. The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (GODZILLA) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables. These older Microsoft Exchange vulnerabilities continue to serve as effective initial access vectors. SHADOW-EARTH-053's successful exploitation of these long-patched issues confirms that organizations still running legacy or unpatched Exchange servers remain at significant risk of mailbox compromise, credential theft, and prolonged attacker access. Summary Through ongoing analysis of ShadowPad implants targeting South and Southeast Asia, TrendAI™ Research has uncovered a series of new related campaigns that are tracked under a temporary intrusion set (a provisional cluster of related activity pending formal attribution) designated SHADOW-EARTH-053, which we assess to be aligned with China's broader strategic interests . Our telemetry indicates that this group has targeted government entities and critical infrastructure sectors across at least eight countries over the past year. Activity attributed to SHADOW-EARTH-053 has been traced back to at least December 2024, indicating the group has been operational for over a year. Our investigation yielded detailed insight into the attacker’s tactics, techniques, and procedures (TTPs), including the attack flow, initial access vectors, and covert communication channels. While most observed targets were concentrated in Asia, the group's footprint extends beyond these areas: a European government belonging to NATO was also targeted. Given the target profiles, we assess that these operations are likely aimed at cyberespionage and intellectual property theft. In nearly half of the targeted environments, we observed significant overlaps in TTPs and malware usage consistent with another temporary intrusion set, SHADOW-EARTH-054. This intrusion set has some network overlaps with CL-STA-0049 by Unit 42 and REF7707 by Elastic, two other intrusion sets that also have overlaps with Earth Alux (we examine these links in the “Attribution” section). While these activities often occurred in the same networks, the SHADOW-EARTH-054-related incidents frequently predated the deployment of ShadowPad implants by a few months. Despite this temporal gap, both intrusion sets share an arsenal of post-compromise tooling and the same initial access vector. A comprehensive analysis of these connections is provided below. Attack chain The following sections provide a detailed technical analysis of SHADOW-EARTH-053, covering its capabilities, TTPs, and operational characteristics. Initial access Our telemetry indicates that the group relies on exploiting external services to establish a foothold in target networks. We have observed them targeting server-based N-day vulnerabilities, such as the ProxyLogon chain targeting Microsoft Exchange Server ( CVE-2021-26855 , CVE-2021-26857 , CVE-2021-26858 , and CVE-2021-27065 ). Despite their age, these vulnerabilities remain effective exploits in unpatched environments. After compromising the server, the group used their access to install web shells (such as GODZILLA) and deploy ShadowPad implants. These web shells serve as persistent backdoors, allowing the attacker to maintain access and execute commands on compromised systems. The following is a representative list of common web shell filenames: error.aspx errorFE.aspx signout.aspx warn.aspx data.aspx page.aspx TimeinLogout.aspx timeout.aspx charcode.aspx tunnel.ashx i.aspx 2.aspx The use of an . ashx HTTP handler represents a minor deviation from the . aspx web shells seen in earlier activity. These files were frequently found in the following directories: ?:\inetpub\wwwroot\aspnet_client\system_web ?:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth In one instance, ShadowPad samples were delivered via AnyDesk, a legitimate remote administration tool, suggesting the attacker either leveraged a prior compromise or obtained credentials through other means. The limited visibility into this intrusion prevents us from determining whether this represents an alternative initial access method or a later-stage deployment following an unobserved entry point. Separately, we found Linux NOODLERAT samples that were reportedly dropped via the exploitation of CVE-2025-55182 ( React2Shell ). We attribute these samples to SHADOW-EARTH-053 with low confidence. Related details are in the "Linux NOODLERAT" section. Discovery In one case, the threat actor conducted extensive Active Directory and Exchange infrastructure reconnaissance directly via web shell access. Commands executed by the Internet Information Services (IIS) worker process ( w3wp.exe ) included domain admin group enumeration, domain controller discovery via nltest/dclist, and targeted nslookup queries against multiple internal Exchange servers. The attacker also deployed csvde.exe (a legitimate Windows utility) to export Active Directory objects to CSV format. It also used PowerView's Get-DomainUser cmdlet to enumerate user accounts and associated email addresses from a domain controller. We also observed custom binary named DomainMachines.exe enumerating machines in the domain through LDAP, then connecting directly to ports related to SMB (139,445), web server and proxies (80, 443, 8080, 8443), RDP (3389), WinRM (5985, 5986), MySQL (3306), MS SQL (1433), and Kerberos (88). While the tool could not be retrieved for in-depth analysis; however, at only 28 KB, it appears to be a lightweight utility. Backdoor access and malware toolkit ShadowPad The main malware family used by SHADOW-EARTH-053 was ShadowPad , an advanced modular malware that has been used by APT41 since 2017 , before being shared among multiple China-aligned intrusion sets starting in 2019. The malware has undergone significant evolution over its lifetime; yet the variant used by SHADOW-EARTH-053 lacks the advanced obfuscation and anti-debugging features observed in builds deployed by other groups. This suggests the group has access only to an older builder, rather than the source code itself. This version is compiled for a 32-bit architecture and has been extensively documented . Across observed intrusions, the threat actor consistently used the same loading mechanism, composed of three different files: A legitimate and signed file vulnerable to DLL sideloading A malicious DLL that loads the payload from the disk or from the registry The encrypted ShadowPad payload, which is stored in the registry and deleted after its first use The following four vulnerable executables were abused: SHA-256 Original filename Threat actor filename Sideloaded DLL Authenticode signer 4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8 GameHook.exe runtimebroker.exe nvcontainer.exe graphics-hook-filter32.dll ORANGE VIEW LIMITED 2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2 imecmnt.exe RuntimeBroker.exe osppsvc.exe imjp14k.dll Microsoft Corporation 8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78 xReport.exe N/A Uxtheme.dll Mainline Net Holdings Limited d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3 LUManager.EXE RAVCpl64.exe MPS.dll Samsung Electronics CO., LTD. Table 1. Legitimate executables vulnerable to DLL sideloading abused by SHADOW‑EARTH‑053 The TosBtKbd.dll registry loader SHADOW-EARTH-053 uses a legitimate Toshiba Bluetooth Stack executable, renamed to CIATosBtKbd.exe , to sideload a malicious DLL ( TosBtKbd.dll ). This loader employs a multistage evasion technique by retrieving its payload from the Windows Registry rather than embedding it within the binary. Upon execution, the loader calls GetComputerNameA to identify the host and access a machine-specific registry key at HKEY_CURRENT_USER\Software\[ComputerName] . From here, it retrieves a binary value named scode , which contains the shellcode payload. The malware then allocates memory using VirtualAlloc (configured with PAGE_EXECUTE_READWRITE permissions) and executes the shellcode via callback injection. By passing the shellcode’s address as a callback parameter to the legitimate Windows API function EnumDesktopsA , the malware tricks the operating system into executing the malicious code during standard desktop enumeration. This method avoids direct execution calls that often trigger security monitoring systems. Persistence was achieved via a Scheduled Task named M1onltor , configured to run the sideloaded binary every five minutes with the highest privileges. Note that the specific shellcode payload could not be retrieved for analysis. The mdync.exe backdoor In several attacks, an executable named mdync.exe " was deployed on the victim's network. Although the file could not be retrieved for static analysis, endpoint telemetry reveals that the executable established beaconing connections to 141[.]164[.]46[.]77.