2026-05-137 minhigh

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

SHADOW-EARTH-053 is a China-aligned cyberespionage campaign exploiting legacy N-day vulnerabilities in Microsoft Exchange and IIS servers to target government and defense sectors primarily in Asia. The threat actors utilize GODZILLA web shells for persistence and deploy ShadowPad implants via DLL sideloading, sharing significant operational overlaps with another intrusion set tracked as SHADOW-EARTH-054.

Sens:■ ImmediateConf:highAnalyzed:2026-04-30reports

Authors: Daniel Lunghi, Lucas Silva

ActorsSHADOW-EARTH-053SHADOW-EARTH-054APT41CL-STA-0049REF7707Earth AluxSilk Typhoon

ShadowPad SHADOW-EARTH-053 DLL Sideloading ProxyLogon Cyberespionage

Source:Trend Micro

IOCs · 15

cve
CVE-2021-26855
cve
CVE-2021-26857
cve
CVE-2021-26858
cve
CVE-2021-27065
cve
CVE-2025-55182
domain
check[.]office365-update[.]comC2 domain for NOODLERAT malware
domain
zimbra-beta[.]infoC2 domain associated with SHADOW-EARTH-054
ip
141[.]164[.]46[.]77C2 server for the mdync.exe backdoor
ip
194[.]38[.]11[.]3C2 server hosting ShadowPad and NOODLERAT samples
ip
209[.]141[.]40[.]254C2 server for VShell used by the overlapping SHADOW-EARTH-054 group
ip
96[.]9[.]125[.]227C2 server for GOST and Wstunnel proxies
sha256
2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2imecmnt.exe legitimate binary abused for DLL sideloading
sha256
4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8GameHook.exe legitimate binary abused for DLL sideloading
sha256
8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78xReport.exe legitimate binary abused for DLL sideloading
sha256
d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3LUManager.EXE legitimate binary abused for DLL sideloading

Detection / Hunter

What Happened

A cyber espionage group known as SHADOW-EARTH-053 has been attacking government and defense organizations, mostly in Asia. They break into networks by taking advantage of older, unpatched flaws in Microsoft Exchange email servers. This matters because the attackers can steal sensitive information, read emails, and maintain long-term secret access to the compromised networks. Organizations should immediately apply security updates to their email servers and monitor for suspicious files to protect themselves.

Key Takeaways

SHADOW-EARTH-053 is a China-aligned cyberespionage group targeting government and defense sectors in Asia and Poland.
The group exploits N-day Microsoft Exchange and IIS vulnerabilities (e.g., ProxyLogon) for initial access.
Post-compromise activity involves deploying GODZILLA web shells and staging ShadowPad implants via DLL sideloading.
Significant TTP and victimology overlaps exist with another intrusion set, SHADOW-EARTH-054, suggesting independent exploitation of the same targets.

Affected Systems

Microsoft Exchange Server
Internet Information Services (IIS)
Windows Active Directory environments

Vulnerabilities (CVEs)

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065
CVE-2025-55182

Attack Chain

The attackers gain initial access by exploiting N-day vulnerabilities in Microsoft Exchange and IIS servers, such as the ProxyLogon chain. They deploy GODZILLA web shells for persistent access and conduct discovery using tools like PowerView and custom LDAP enumerators. For deeper access, they stage ShadowPad implants via DLL sideloading of legitimate signed executables, storing the encrypted payload in the Windows Registry. Finally, they use tools like IOX, GOST, and Wstunnel for C2 communication, and extract credentials and mailbox data using Mimikatz, Evil-CreateDump, and custom EWS export tools.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: Yes
Platforms: Trend Micro Vision One

The article provides a Trend Micro Vision One hunting query to detect possible web shells created by the IIS worker process.

Detection Engineering Assessment

EDR Visibility: High — The attack involves significant process creation (w3wp.exe spawning cmd/powershell), DLL sideloading, scheduled task creation, and credential dumping, all of which are highly visible to modern EDRs. Network Visibility: Medium — While initial exploitation and web shell traffic might blend with normal web traffic, the use of custom tunneling tools (GOST, Wstunnel) and connections to known C2 IPs can be detected with network monitoring. Detection Difficulty: Moderate — The reliance on renamed legitimate binaries and DLL sideloading complicates detection, but the noisy initial access via IIS/Exchange and the use of known tools like Mimikatz provide solid detection opportunities.

Required Log Sources

Windows Security Event Log (Event ID 4688)
Sysmon (Event ID 1, 3, 11)
IIS Access Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for the IIS worker process (w3wp.exe) spawning suspicious child processes like cmd.exe, powershell.exe, or reconnaissance tools.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Execution	Low
Search for the creation of executable server-side scripts (.aspx, .ashx) in critical web directories like C:\inetpub\wwwroot or Exchange Client Access paths.	File Creation (Sysmon Event ID 11)	Persistence	Low
Identify renamed system utilities by looking for processes executing from C:\ProgramData with randomized names and a .log extension.	Process Creation (Event ID 4688 / Sysmon Event ID 1)	Defense Evasion	Low
Detect the creation of scheduled tasks with the name 'M1onltor' configured to run with highest privileges.	Scheduled Task Creation (Event ID 4698)	Persistence	Low

Control Gaps

Lack of Virtual Patching/WAF for legacy Exchange servers
Insufficient File Integrity Monitoring on IIS directories

Key Behavioral Indicators

w3wp.exe spawning command shells
Renamed binaries in C:\ProgramData
Scheduled task named M1onltor
Modification of LocalAccountTokenFilterPolicy registry value

False Positive Assessment

Recommendations

Immediate Mitigation

Apply the latest security updates and cumulative patches to Microsoft Exchange and IIS servers.
Deploy IPS or WAF rules to block exploit attempts against ProxyLogon and related CVEs.
Scan Exchange and IIS directories for suspicious .aspx, .ashx, or .jsp files.

Infrastructure Hardening

Implement File Integrity Monitoring (FIM) on critical web directories.
Restrict permissions for the IIS worker process (w3wp.exe) to prevent arbitrary directory writes.
Disable unused IIS modules and handlers.

User Protection

Monitor and restrict access to staging directories like C:\ProgramData, C:\Users\Public, and C:\Windows\Temp.
Enforce application whitelisting to prevent unauthorized binaries from executing.

Security Awareness

Educate security teams on the risks of N-day vulnerabilities and the importance of timely patching for internet-facing assets.

MITRE ATT&CK Mapping

T1190 - Exploit Public-Facing Application
T1505.003 - Server Software Component: Web Shell
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1059.001 - Command and Scripting Interpreter: PowerShell
T1053.005 - Scheduled Task/Job: Scheduled Task
T1003.001 - OS Credential Dumping: LSASS Memory
T1003.002 - OS Credential Dumping: Security Account Manager
T1090 - Proxy
T1114.002 - Email Collection: Remote Email Collection
T1036.003 - Masquerading: Rename System Utilities

Additional IOCs

Ips:
- 141[.]164[.]46[.]77 - C2 server for the mdync.exe backdoor
- 96[.]9[.]125[.]227 - C2 server for GOST and Wstunnel proxies
- 194[.]38[.]11[.]3 - C2 server hosting ShadowPad and NOODLERAT samples
- 209[.]141[.]40[.]254 - C2 server for VShell used by the overlapping SHADOW-EARTH-054 group
Domains:
- check[.]office365-update[.]com - C2 domain for NOODLERAT malware
- zimbra-beta[.]info - C2 domain associated with SHADOW-EARTH-054
File Hashes:
- 4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8 (SHA256) - GameHook.exe legitimate binary abused for DLL sideloading
- 2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2 (SHA256) - imecmnt.exe legitimate binary abused for DLL sideloading
- 8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78 (SHA256) - xReport.exe legitimate binary abused for DLL sideloading
- d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3 (SHA256) - LUManager.EXE legitimate binary abused for DLL sideloading
Registry Keys:
- HKEY_CURRENT_USER\Software\[ComputerName] - Registry key storing the encrypted ShadowPad shellcode payload in a value named 'scode'
File Paths:
- C:\inetpub\wwwroot\aspnet_client\system_web - Directory used to drop web shells
- C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth - Directory used to drop web shells
- C:\ProgramData - Staging directory for renamed legitimate binaries like net.exe
- C:\Users\Public - Staging directory for tunneling tools
Command Lines:
- Purpose: Enumerate domain controllers | Tools: nltest | Stage: Discovery | nltest /dclist
- Purpose: Enumerate user accounts and emails | Tools: PowerView | Stage: Discovery | Get-DomainUser
- Purpose: Copy web shell to internal Exchange servers | Tools: cmd.exe | Stage: Lateral Movement | copy charcode.aspx \\[IP]\c$\inetpub\wwwroot\aspnet_client\system_web\
- Purpose: Extract credentials from LSASS | Tools: rundll32.exe, Mimikatz | Stage: Credential Access | sekurlsa::logonpasswords
- Purpose: Dump local SAM database | Tools: rundll32.exe, Mimikatz | Stage: Credential Access | lsadump::sam
- Purpose: Load Exchange management snap-in | Tools: PowerShell | Stage: Collection | Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Other:
- error.aspx - Web shell filename
- tunnel.ashx - Web shell filename
- graphics-hook-filter32.dll - Malicious DLL sideloaded by GameHook.exe
- imjp14k.dll - Malicious DLL sideloaded by imecmnt.exe
- Uxtheme.dll - Malicious DLL sideloaded by xReport.exe
- MPS.dll - Malicious DLL sideloaded by LUManager.EXE
- TosBtKbd.dll - Malicious DLL sideloaded by CIATosBtKbd.exe
- M1onltor - Scheduled task name for persistence