{ "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "slug": "inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "published": "2026-04-30T17:11:26+00:00", "created_at": "2026-04-30T17:11:26+00:00", "modified_at": "2026-05-04T12:01:21+00:00", "created_at_opencti": "2026-04-30T17:11:26+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-30", "exchange server compromise", "godzilla", "godzilla webshell", "noodlerat", "proxylogon exploitation", "ringq", "shadowpad", "vshell" ], "related_entities": { "observables": [ { "id": "", "name": "194.38.11.3" }, { "id": "", "name": "96.9.125.227" }, { "id": "", "name": "www.group-ib.icu" }, { "id": "", "name": "www.kaspersky.icu" }, { "id": "", "name": "165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9" }, { "id": "", "name": "c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71" }, { "id": "", "name": "3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97" }, { "id": "", "name": "d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3" }, { "id": "", "name": "4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27" }, { "id": "", "name": "1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2" }, { "id": "", "name": "f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c" }, { "id": "", "name": "2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255" }, { "id": "", "name": "0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9" }, { "id": "", "name": "3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a" }, { "id": "", "name": "b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3" }, { "id": "", "name": "8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78" }, { "id": "", "name": "0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9" }, { "id": "", "name": "83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3" }, { "id": "", "name": "97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e" }, { "id": "", "name": "23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7" }, { "id": "", "name": "e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020" }, { "id": "", "name": "4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8" }, { "id": "", "name": "26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16" }, { "id": "", "name": "2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2" }, { "id": "", "name": "eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b" }, { "id": "", "name": "f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745" }, { "id": "", "name": "5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe" }, { "id": "", "name": "4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265" }, { "id": "", "name": "75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51" }, { "id": "", "name": "d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902" }, { "id": "", "name": "55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd" }, { "id": "", "name": "03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116" }, { "id": "", "name": "996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb" }, { "id": "", "name": "9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df" }, { "id": "", "name": "188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa" }, { "id": "", "name": "8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e" }, { "id": "", "name": "884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2" }, { "id": "", "name": "5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6" }, { "id": "", "name": "a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce" }, { "id": "", "name": "0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403" }, { "id": "", "name": "a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89" }, { "id": "", "name": "0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36" }, { "id": "", "name": "41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99" }, { "id": "", "name": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed" } ], "malware": [ { "id": "09d4835c-f210-450e-a87c-6ef43bd985d8", "name": "IOX", "slug": "iox" }, { "id": "legacy:malware:6396fdccbabb1618", "name": "NOODLERAT", "slug": "noodlerat" }, { "id": "legacy:malware:92b828cd8ebb8640", "name": "ShadowPad - S0596", "slug": "shadowpad-s0596" }, { "id": "legacy:malware:8751734eb3ace7ff", "name": "POISONPLUG.SHADOW", "slug": "poisonplugshadow" }, { "id": "legacy:malware:8e4a8ac9d4094a05", "name": "RingQ", "slug": "ringq" }, { "id": "legacy:malware:f5ad0dfc2e127b74", "name": "VSHELL", "slug": "vshell" }, { "id": "legacy:malware:fb27193ab6e0bb48", "name": "GODZILLA", "slug": "godzilla" } ], "intrusion_sets": [ { "id": "f1c91d18-d54b-4ae7-91cc-e9fbdcd140c7", "name": "SHADOW-EARTH-053", "slug": "shadow-earth-053" } ], "attack_patterns": [ { "id": "2ab37c37-62b9-4750-bfb0-c692ccdd36ac", "name": "T1114.002" }, { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab", "name": "T1087.002" }, { "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3", "name": "T1021.002" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "adac40c7-ef36-4a03-af99-079bc834463a", "name": "T1003.002" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "9643a7e9-771b-4396-83a3-26fcec5200e4", "name": "T1021.006" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "beaa4978-0309-438b-a45e-ec566b643811", "name": "T1505.003" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b", "name": "T1560.001" }, { "id": "219502b8-3f28-4cb2-bd07-7235cc46a138", "name": "T1003.006" }, { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "36d26fbc-439e-460e-bb28-0935ad0c1b8a", "name": "T1090.001" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2021-27065" }, { "id": "", "name": "CVE-2025-55182" }, { "id": "", "name": "CVE-2021-26858" }, { "id": "", "name": "CVE-2021-26855" }, { "id": "", "name": "CVE-2021-26857" } ], "others": [ { "id": "", "name": "Taiwan" }, { "id": "", "name": "India" }, { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "Poland" }, { "id": "", "name": "Pakistan" }, { "id": "", "name": "Malaysia" }, { "id": "", "name": "Sri Lanka" }, { "id": "", "name": "Myanmar" }, { "id": "", "name": "Thailand" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Transportation" }, { "id": "", "name": "Government" }, { "id": "", "name": "dns.dnsmap.icu" }, { "id": "", "name": "check.dnsmaps.com" }, { "id": "", "name": "update.kaspersky.icu" }, { "id": "", "name": "nslookup.dnserver.life" }, { "id": "", "name": "zimbra-beta.info" }, { "id": "", "name": "cert.kaspersky.icu" }, { "id": "", "name": "zimbra.life" }, { "id": "", "name": "ww12.dnserver.life" }, { "id": "", "name": "ns1.kaspersky.icu" }, { "id": "", "name": "microsi0ft.com" }, { "id": "", "name": "ns2.kaspersky.icu" }, { "id": "", "name": "time.microsofttrends.com" }, { "id": "", "name": "news.kaspersky.icu" }, { "id": "", "name": "dns.dnserver.life" }, { "id": "", "name": "erp.kaspersky.icu" }, { "id": "", "name": "check.office365-update.com" }, { "id": "", "name": "ns2.group-ib.icu" }, { "id": "", "name": "router.dnserver.life" }, { "id": "", "name": "ns1.group-ib.icu" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4", "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ] }