Full Report
Researchers from Trend Micro uncovered an ongoing cyberespionage campaign, tracked as Shadow-Earth-053, attributed to a China-aligned threat cluster... The post Shadow-Earth-053 targets Asian government, defense, critical infrastructure via Exchange and IIS vulnerabilities appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Shadow-Earth-053
## Attribution & Identity
- **Name/Alias:** Shadow-Earth-053
- **Attribution:** China-aligned threat cluster.
- **Associated Groups/Aliases:**
- High overlap with cluster **SHADOW-EARTH-054** (frequently seen in the same networks).
- Network and TTP overlaps with **CL-STA-0049** (Unit 42), **REF7707** (Elastic), and **Earth Alux** (Trend Micro).
## Activity Summary
Shadow-Earth-053 is an ongoing cyberespionage campaign traced back to at least December 2024. The group specializes in gaining long-term persistence within high-value networks to conduct geopolitical surveillance. They frequently leverage known vulnerabilities in internet-facing servers to deploy backdoors, with recent spikes in activity targeting Asian administrative and defense sectors.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of external-facing services (N-day vulnerabilities). Specifically targets the ProxyLogon chain in Microsoft Exchange and vulnerabilities in IIS servers.
- **Persistence:** Implementation of Web Shells to maintain access and execute remote commands.
- **Execution & Deployment:** Deployment of the ShadowPad implant for sophisticated, long-term backdoor capabilities.
- **Lateral Movement & Arsenal:** Shares a post-compromise toolkit with Shadow-Earth-054, including various credential harvesting and reconnaissance tools.
- **MITRE ATT&CK IDs (Inferred from text):**
- T1190: Exploit Public-Facing Application
- T1505.003: Server Software Component: Web Shell
- T1071: Application Layer Protocol (Covert communication channels)
- T1588.006: Obtain Capabilities: Vulnerabilities (ProxyLogon)
## Targeting
- **Sectors:** Government, defense, critical infrastructure, technology (specifically IT consulting firms with government contracts), transportation, journalism, and civil society activists.
- **Geography:** Primarily South, East, and Southeast Asia.
- Specific countries: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan.
- Global reach: At least one identified target in Poland (NATO member state).
- **Victims:** Regional ministries, defense organizations, and individuals reporting on China-related issues.
## Tools & Infrastructure
- **Malware Families:**
- **ShadowPad:** Primary modular backdoor.
- **GODZILLA:** Web shell used for persistent remote command execution.
- **Squidoor:** (Associated via CL-STA-0049 overlaps).
- **Infrastructure:**
- Exploited Microsoft Exchange Servers.
- Exploited IIS (Internet Information Services) Servers.
- *Note: Specific defanged IPs/domains were not detailed in the provided article text.*
## Implications
The campaign represents a strategic effort by China-aligned actors to monitor geopolitical developments and influence operations within Asia and select NATO partners. By targeting IT consulting firms, the actor likely aims to facilitate supply-chain compromises to reach broader government targets. The use of N-day vulnerabilities suggests the group effectively capitalizes on slow patch cycles in complex critical infrastructure environments.
## Mitigations
- **Patch Management:** Prioritize immediate patching of Microsoft Exchange (specifically CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) and IIS vulnerabilities.
- **Web Shell Detection:** Implement file integrity monitoring (FIM) and scan web server directories for unauthorized scripts (e.g., GODZILLA).
- **Network Segmentation:** Isolate internet-facing servers (Exchange/IIS) from sensitive internal network segments to prevent lateral movement.
- **Credential Monitoring:** Audit service accounts and monitor for unusual credential harvesting activity following the detection of web shell fragments.