China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster SHADOW-EARTH-053 compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the ProxyLogon chain, then deploying GODZILLA web shells and the ShadowPad backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption.
Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via EnumDesktopsA callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as IOX, GOST, Wstunnel, Sharp-SMBExec, Mimikatz, and Evil-CreateDump. Trend Micro also identified overlap with a related cluster, SHADOW-EARTH-054, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
Timeline
May 1, 2026
Citizen Lab exposes GLITTER CARP and SEQUIN CARP phishing campaigns
On 2026-05-01, Citizen Lab reported two China-affiliated phishing clusters, GLITTER CARP and SEQUIN CARP, targeting journalists and civil society groups including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. The campaigns used impersonation and fake security alerts to steal credentials or gain OAuth access, and Citizen Lab said the activity aligned with Chinese intelligence priorities, possibly involving commercial contractors.
Apr 30, 2026
Researchers detail DEEP#DOOR credential theft and evasion features
Securonix reported that DEEP#DOOR can steal browser passwords, cloud credentials, SSH keys, and Wi-Fi credentials while also patching AMSI and ETW, tampering with Defender, bypassing SmartScreen, clearing logs, and unhooking NTDLL. Researchers described it as a full-featured RAT suitable for long-term persistence, espionage, lateral movement, and post-exploitation, though the scale of attacks was unknown.
Apr 30, 2026
Securonix discloses DEEP#DOOR Python backdoor framework
On April 30, 2026, Securonix revealed a newly identified Python-based Windows malware framework called DEEP#DOOR. The malware uses obfuscated batch scripts for delivery, establishes persistence through multiple Windows mechanisms, and uses the public tunneling service bore[.]pub for command-and-control.
Apr 30, 2026
Trend Micro publicly discloses Shadow-Earth-053 campaign
On April 30, 2026, Trend Micro published research detailing the Shadow-Earth-053 espionage campaign, its victimology, tooling, and links to Shadow-Earth-054. The company assessed the activity as aligned with China's strategic interests and urged organizations to patch Exchange and IIS systems or apply compensating controls.
Apr 30, 2026
Overlap with related cluster Shadow-Earth-054 is identified
Researchers linked roughly half of the victims to a related cluster, Shadow-Earth-054, based on shared vulnerabilities, tool hashes, and overlapping tradecraft. Trend Micro assessed the relationship as overlapping but most likely independent exploitation of the same opportunities rather than coordinated operations.
Apr 1, 2026
Shadow-Earth-053 activity is still observed
Trend Micro reported that Shadow-Earth-053 intrusions were still being observed in April 2026, indicating the campaign remained active well over a year after it began. Researchers warned the operations resembled long-term Chinese espionage and possible prepositioning activity.
Dec 1, 2024
Shadow-Earth-053 conducts post-exploitation espionage operations
Following initial compromise, the attackers used DLL sideloading, registry-resident shellcode, scheduled tasks, credential theft, lateral movement, and mailbox collection from Exchange environments. Tooling observed included IOX, GOST, Wstunnel, Sharp-SMBExec, Mimikatz, Evil-CreateDump, WMIC, and a custom ExchangeExport utility.
Dec 1, 2024
Attackers exploit Exchange and IIS flaws to establish access
The campaign gained initial access by exploiting vulnerable or unpatched Microsoft Exchange and IIS servers, including the ProxyLogon vulnerability chain. After compromise, operators deployed web shells such as GODZILLA and used ShadowPad to maintain long-term access.
Dec 1, 2024
Shadow-Earth-053 begins intrusions across Asia and Poland
Trend Micro said the China-aligned cluster Shadow-Earth-053 had been active since at least December 2024, compromising more than a dozen organizations in at least eight countries. Targets included government agencies, defense contractors, technology firms, transportation organizations, and at least one victim in Poland.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Sources
1 more from sources like trend micro research
Related Stories
TGR-STA-1030 “Shadow Campaigns” Global Cyberespionage Using ShadowGuard Rootkit
A large-scale cyberespionage operation tracked as **TGR-STA-1030** (also **UNC6619**) has been reported compromising government and critical-infrastructure organizations across **37 countries**, with broader reconnaissance activity against government infrastructure in **155 countries**. The operation—described as “**Shadow Campaigns**”—uses **phishing** (often impersonating government entities) and **N-day vulnerability exploitation** across multiple enterprise and edge products (including **SAP**, **Microsoft Exchange**, and **D-Link**) to gain initial access, then deploys tooling for persistence, lateral movement, and stealth. Post-compromise activity includes deployment of **Diaoyu Loader** to stage frameworks and remote admin tooling such as **Cobalt Strike** and **VShell**, plus web shells and tunneling utilities. A notable capability is **ShadowGuard**, a **Linux eBPF rootkit** used for kernel-level stealth. Reporting also indicates Palo Alto Networks’ Unit 42 assessed the actor as **state-aligned and operating out of Asia**, citing indicators such as tooling, language preferences, activity patterns aligned to **GMT+8**, and infrastructure linkages; separate reporting claims Unit 42 initially connected the campaign more directly to **China** but softened public attribution due to concerns about potential retaliation following Chinese restrictions on certain foreign cybersecurity vendors’ software.
1 months ago
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
1 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 months ago