Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign…

216.73.217.22

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

· Published 30/04/2026 19:11 · Modified 04/05/2026 14:01

Essential information

Published: 30/04/2026 19:11
Modified: 04/05/2026 14:01
Tags: 2026-04-30 exchange server compromise godzilla godzilla webshell noodlerat proxylogon exploitation ringq shadowpad vshell
Related entities: 5 vulnerabilities (cve), 44 observables, 1 intrusion sets (apt), 19 techniques (mitre), 7 malware, 32 others

Description

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Related entities

194.38.11.3
96.9.125.227
www.group-ib.icu
www.kaspersky.icu
165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9
c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71
3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97
d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3
4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27
1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2
f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c
2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255
0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9
3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a
b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3
8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78
0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9
83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3
97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e
23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7
e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020
4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8
26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16
2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2
eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b
f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745
5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe
4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265
75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51
d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902
55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd
03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116
996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb
9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df
188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa
8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e
884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2
5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6
a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce
0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403
a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89
0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36
41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99
0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed