China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster SHADOW-EARTH-053 compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the ProxyLogon chain, then deploying GODZILLA web shells and the ShadowPad backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption.
Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via EnumDesktopsA callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as IOX, GOST, Wstunnel, Sharp-SMBExec, Mimikatz, and Evil-CreateDump. Trend Micro also identified overlap with a related cluster, SHADOW-EARTH-054, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
How this story unfolded
10 events from the earliest known activity through the most recent confirmed update.
Shadow-Earth-053 begins intrusions across Asia and Poland
Trend Micro said the China-aligned cluster Shadow-Earth-053 had been active since at least December 2024, compromising more than a dozen organizations in at least eight countries. Targets included government agencies, defense contractors, technology firms, transportation organizations, and at least one victim in Poland.
Attackers exploit Exchange and IIS flaws to establish access
The campaign gained initial access by exploiting vulnerable or unpatched Microsoft Exchange and IIS servers, including the ProxyLogon vulnerability chain. After compromise, operators deployed web shells such as GODZILLA and used ShadowPad to maintain long-term access.
Shadow-Earth-053 conducts post-exploitation espionage operations
Following initial compromise, the attackers used DLL sideloading, registry-resident shellcode, scheduled tasks, credential theft, lateral movement, and mailbox collection from Exchange environments. Tooling observed included IOX, GOST, Wstunnel, Sharp-SMBExec, Mimikatz, Evil-CreateDump, WMIC, and a custom ExchangeExport utility.
Shadow-Earth-053 activity is still observed
Trend Micro reported that Shadow-Earth-053 intrusions were still being observed in April 2026, indicating the campaign remained active well over a year after it began. Researchers warned the operations resembled long-term Chinese espionage and possible prepositioning activity.
Overlap with related cluster Shadow-Earth-054 is identified
Researchers linked roughly half of the victims to a related cluster, Shadow-Earth-054, based on shared vulnerabilities, tool hashes, and overlapping tradecraft. Trend Micro assessed the relationship as overlapping but most likely independent exploitation of the same opportunities rather than coordinated operations.
Trend Micro publicly discloses Shadow-Earth-053 campaign
On April 30, 2026, Trend Micro published research detailing the Shadow-Earth-053 espionage campaign, its victimology, tooling, and links to Shadow-Earth-054. The company assessed the activity as aligned with China's strategic interests and urged organizations to patch Exchange and IIS systems or apply compensating controls.
Securonix discloses DEEP#DOOR Python backdoor framework
On April 30, 2026, Securonix revealed a newly identified Python-based Windows malware framework called DEEP#DOOR. The malware uses obfuscated batch scripts for delivery, establishes persistence through multiple Windows mechanisms, and uses the public tunneling service bore[.]pub for command-and-control.
Researchers detail DEEP#DOOR credential theft and evasion features
Securonix reported that DEEP#DOOR can steal browser passwords, cloud credentials, SSH keys, and Wi-Fi credentials while also patching AMSI and ETW, tampering with Defender, bypassing SmartScreen, clearing logs, and unhooking NTDLL. Researchers described it as a full-featured RAT suitable for long-term persistence, espionage, lateral movement, and post-exploitation, though the scale of attacks was unknown.
Shadow-Earth-053 activity observed continuing into May 2026
The Register's April 30, 2026 report said Trend Micro researchers were still seeing Shadow-Earth-053 activity as recently as May 2026. This extended the known duration of the China-linked intrusion campaign beyond the previously noted April 2026 activity.
Citizen Lab exposes GLITTER CARP and SEQUIN CARP phishing campaigns
On 2026-05-01, Citizen Lab reported two China-affiliated phishing clusters, GLITTER CARP and SEQUIN CARP, targeting journalists and civil society groups including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. The campaigns used impersonation and fake security alerts to steal credentials or gain OAuth access, and Citizen Lab said the activity aligned with Chinese intelligence priorities, possibly involving commercial contractors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments
blog.polyswarm.io
Open sourceChina-Aligned SHADOW-EARTH-053 Exploits Exchange Servers to Deploy ShadowPad Malware
cybersecuritynews.com
Open sourceChina-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists
thehackernews.com
Open sourceDeep#Door Stealer Harvests Browser Passwords, Cloud Tokens, SSH Keys, and Wi-Fi Credentials
cybersecuritynews.com
Open sourceChina-Aligned Attackers Use ShadowPad, IOX Proxy, and WMIC in Multi-Stage Espionage Campaign
cybersecuritynews.com
Open source1 Campaign, 2 Targets: China’s Cyber Operations Hit Asian Governments and Dissidents Abroad - The Diplomat
thediplomat.com
Open sourceNew Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
thehackernews.com
Open sourceChinese spy group caught lurking in Poland, Asia networks
theregister.com
Open sourceInside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | Trend Micro (US)
trendmicro.com
Open sourceChinese spy group caught lurking in Poland, Asia networks • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as **TGR-STA-1030** (also **UNC6619**) has been reported compromising government and critical-infrastructure organizations across **37 countries**, with broader reconnaissance activity against government infrastructure in **155 countries**. The operation—described as “**Shadow Campaigns**”—uses **phishing** (often impersonating government entities) and **N-day vulnerability exploitation** across multiple enterprise and edge products (including **SAP**, **Microsoft Exchange**, and **D-Link**) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth. Post-compromise activity includes deployment of **Diaoyu Loader** to stage frameworks and remote admin tooling such as **Cobalt Strike** and **VShell**, plus web shells and tunneling utilities. A notable capability is **ShadowGuard**, a **Linux eBPF rootkit** used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as **state-aligned and operating out of Asia**, citing indicators such as tooling, language preferences, activity patterns aligned to **GMT+8**, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to **China** but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
Mar 21, 2026
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
Mar 21, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026