The SHADOW-EARTH-053 group has been quietly infiltrating government agencies across eight countries since December 2024 using ShadowPad malware and living-off-the-land techniques.
A China-aligned threat group tracked as SHADOW-EARTH-053 has been carrying out a carefully planned multi-stage espionage campaign against government agencies and critical infrastructure across Asia since at least December 2024. The group has compromised organizations in at least eight countries including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland, using a potent combination of the ShadowPad backdoor, IOX proxy tools, and living-off-the-land techniques to maintain persistence.
Initial access is gained by exploiting known but unpatched vulnerabilities in Microsoft Exchange and IIS servers, specifically targeting the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). Once inside, attackers deploy GODZILLA web shells for persistent backdoor access. The ShadowPad payload is loaded via DLL sideloading, abusing legitimate executables from Toshiba, Samsung, and Microsoft, with the payload retrieved from a machine-specific registry key at HKEY_CURRENT_USER\\Software. Persistence is maintained through a scheduled task named “M1onltor” running every five minutes with highest privileges.
Beyond ShadowPad, the attackers deployed IOX proxy and open-source tunneling tools including GOST and Wstunnel to create covert communication channels over SOCKS5 and HTTPS. WMIC is used for lateral movement, while credential harvesting tools including Mimikatz and Evil-CreateDump are executed through IIS worker processes to extract passwords. Trend Micro researchers identified a related cluster, SHADOW-EARTH-054, sharing identical tool hashes and victim overlap, with both groups often compromising the same organizations.
Organizations running internet-facing Exchange or IIS servers should apply patches immediately. Security teams should deploy File Integrity Monitoring on web directories, watch for IIS worker processes spawning command shells, and monitor directories like C:\\Users\\Public and C:\\ProgramData for staging activity.
Source: Cyber Security News — China-Aligned Attackers Use ShadowPad, IOX Proxy, and WMIC in Multi-St
