SHADOW-EARTH-053

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 04/05/2026 15:59 · Modified 04/05/2026 15:59 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 04/05/2026 15:59
Modified: 04/05/2026 15:59
Updated at: 04/05/2026 15:59
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 1 reports, 19 attack patterns (mitre), 7 malware, 4 sectors, 9 countries, 63 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (1)

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government …

5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT

Published 30/04/2026 19:11 · Modified 04/05/2026 14:01

Attack patterns (MITRE) (19)

T1505.003 uses

Web Shell
T1090.001 uses

Internal Proxy
T1087.002 uses

Domain Account
T1078 uses

Valid Accounts
T1018 uses

Remote System Discovery
T1071.001 uses

Web Protocols
T1003.006 uses

DCSync
T1560.001 uses

Archive via Utility
T1114.002 uses

Remote Email Collection
T1003.002 uses

Security Account Manager
T1190 uses

Exploit Public-Facing Application
T1003.001 uses

LSASS Memory
T1053.005 uses

Scheduled Task
T1574.002 uses
T1041 uses

Exfiltration Over C2 Channel
T1021.002 uses

SMB/Windows Admin Shares
T1027 uses

Obfuscated Files or Information
T1047 uses

Windows Management Instrumentation
T1021.006 uses

Windows Remote Management

Malware (7)

VSHELL uses

Family

Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
GODZILLA uses

Family

Published 25/05/2026 08:08 · Modified 25/05/2026 08:08
NOODLERAT uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
IOX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 04/05/2026 15:59 · Modified 04/05/2026 15:59
ShadowPad - S0596 uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
RingQ uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
POISONPLUG.SHADOW uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11

Sectors (4)

Defense targets
Technology targets
Transportation targets
Government targets

Countries (9)

India targets
Taiwan targets
Myanmar targets
British Indian Ocean Territory targets
Pakistan targets
Poland targets
Malaysia targets
Sri Lanka targets
Thailand targets

Indicators (63)

news.kaspersky.icu indicates
194.38.11.3 indicates
165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9 indicates
8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78 indicates
b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3 indicates
f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745 indicates
a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce indicates
55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd indicates
4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27 indicates
0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed indicates
check.dnsmaps.com indicates
75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51 indicates
dns.dnserver.life indicates
1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2 indicates
996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb indicates
cert.kaspersky.icu indicates
ww12.dnserver.life indicates
188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa indicates
41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99 indicates
ns2.group-ib.icu indicates
zimbra-beta.info indicates
2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255 indicates
www.kaspersky.icu indicates
03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116 indicates
ns1.group-ib.icu indicates
5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6 indicates
4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8 indicates
check.office365-update.com indicates
time.microsofttrends.com indicates
d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3 indicates
d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902 indicates
microsi0ft.com indicates
c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71 indicates
dns.dnsmap.icu indicates
2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2 indicates
4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265 indicates
97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e indicates
f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c indicates
ns1.kaspersky.icu indicates
8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e indicates
26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16 indicates
e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020 indicates
0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36 indicates
3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a indicates
0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9 indicates
ns2.kaspersky.icu indicates
erp.kaspersky.icu indicates
83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3 indicates
zimbra.life indicates
www.group-ib.icu indicates
nslookup.dnserver.life indicates
router.dnserver.life indicates
96.9.125.227 indicates
5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe indicates
0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9 indicates
a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89 indicates
update.kaspersky.icu indicates
3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97 indicates
9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df indicates
23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7 indicates
884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2 indicates
0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403 indicates
eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b indicates

Vulnerabilities (CVE) (5)

CVE-2021-26857 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-55182 KEV

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2021-27065 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-26855 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-26858 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

Contact About Legal notice Privacy policy Terms of use