Shadow-Earth-053

SHADOW-EARTH-053 is a China-aligned cyberespionage threat cluster temporarily designated by Trend Micro/TrendAI. The activity has been observed since at least December 2024 and has targeted government agencies, ministries, defense-adjacent contractors, defense-sector organizations, critical infrastructure, transportation entities, technology firms, and IT consulting firms. Reported victim countries include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland. Additional targeting included journalists and diaspora activists, with parallel phishing activity linked in reporting to Glitter Carp and Sequin Carp. The group primarily gains initial access by exploiting unpatched internet-facing Microsoft Exchange Server and IIS systems, including the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). After compromise, it deploys GODZILLA web shells and other ASPX/ASHX web shells for persistence and command execution, conducts reconnaissance through IIS worker processes, and performs mailbox discovery and export via Exchange Web Services using a custom ExchangeExport tool. SHADOW-EARTH-053 deploys ShadowPad as its primary malware, commonly via DLL sideloading chains using legitimate signed executables, including renamed Toshiba Bluetooth Stack components such as CIATosBtKbd.exe loading TosBtKbd.dll. Reporting also describes use of executables associated with Samsung Electronics, Mainline Net Holdings, GameHook.exe, imecmnt.exe, xReport.exe, and LUManager.EXE. In observed cases, the malicious DLL retrieves encrypted payloads from the Windows Registry, executes shellcode via EnumDesktopsA callback injection, and persistence is maintained through a scheduled task named "M1onltor" running every five minutes with elevated privileges. Post-compromise tradecraft includes Active Directory and Exchange reconnaissance, domain controller and domain admin enumeration, LDAP and csvde.exe-based discovery, PowerView-based user enumeration, credential theft with Mimikatz, Evil-CreateDump, and newdcsync, and lateral movement using WMIC, Sharp-SMBExec, custom RDP tooling, and propagation of web shells across internal Exchange servers via administrative SMB shares. The operators also use multiple tunneling and proxy tools, including IOX Proxy, GOST, Wstunnel, and tunnel-core.exe variants, and have used RingQ to pack binaries and evade detection. Reporting also notes use of AnyDesk in at least one intrusion and low-confidence attribution of Linux NOODLERAT deployment in exploitation associated with React2Shell. Trend Micro reported overlaps with the related cluster SHADOW-EARTH-054, including shared victims, identical tool hashes, overlapping TTPs, and infrastructure overlap; however, the reporting states there was no evidence of direct operational coordination and that the overlap may reflect parallel exploitation of the same exposed environments. Other reported overlaps involve activity tracked as CL-STA-0049, REF7707, and Earth Alux.