China-aligned SHADOW-EARTH-053 exploits Exchange servers to deploy ShadowPad malware
7 min. read 
Published on
A China-aligned threat cluster tracked as SHADOW-EARTH-053 has been exploiting unpatched Microsoft Exchange and IIS servers to spy on government, defense, technology, and transportation targets.
Trend Micro says the campaign dates back to at least December 2024 and has hit targets across South, East, and Southeast Asia. Poland, a NATO member state, also appeared in the victim list, showing that the operation reached beyond Asia.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attackers relied on older, known vulnerabilities rather than new zero-days. That detail matters because it shows how dangerous unpatched Exchange and IIS systems remain years after public fixes become available.
What SHADOW-EARTH-053 is doing
SHADOW-EARTH-053 uses vulnerable internet-facing servers as its entry point. Once inside, the group deploys web shells, runs reconnaissance, steals mailbox data, and stages ShadowPad malware through DLL sideloading.
The operation appears focused on cyberespionage and intellectual property theft. The target list includes government ministries, defense-linked IT contractors, transportation organizations, and technology companies with government ties.
Trend Micro tracks SHADOW-EARTH-053 as a temporary intrusion set, meaning researchers see a clear activity cluster but have not publicly tied it to one already named group. The activity still aligns with China’s broader strategic interests.
| Detail | What researchers found |
|---|---|
| Threat cluster | SHADOW-EARTH-053 |
| Assessed alignment | China-aligned cyberespionage activity |
| Known activity start | At least December 2024 |
| Main entry point | Unpatched Microsoft Exchange and IIS servers |
| Main malware | ShadowPad |
| Main goal | Espionage and possible intellectual property theft |
Old Exchange flaws are still useful to attackers
The group exploited known vulnerabilities in Microsoft Exchange Server, including the ProxyLogon chain. These include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Those flaws became public in 2021, but Trend Micro found that they still worked in environments running legacy or unpatched systems. For attackers, an exposed and outdated Exchange server can still provide a path into sensitive networks.
After initial access, SHADOW-EARTH-053 deployed GODZILLA web shells for persistent control. Researchers observed web shell names such as error.aspx, signout.aspx, warn.aspx, data.aspx, tunnel.ashx, i.aspx, and 2.aspx.
How the group moved after compromise
Once inside a network, the attackers performed Active Directory and Exchange reconnaissance. They ran commands through the IIS worker process and looked for domain admins, domain controllers, internal Exchange servers, and user email addresses.
In some cases, they installed an Exchange management snap-in and used a custom ExchangeExport tool through the Exchange Web Services API. This allowed them to target and export mailbox contents from high-value accounts.
The group also used tools for lateral movement and covert access. Trend Micro observed IOX, GOST, Wstunnel, Mimikatz, a custom RDP launcher, and Sharp-SMBExec in related activity.
- Web shells gave attackers persistent remote access.
- Exchange and Active Directory discovery helped them map the network.
- Mailbox exports helped them steal sensitive communications.
- Tunneling tools helped preserve command-and-control access.
- Credential tools supported privilege escalation and lateral movement.
ShadowPad was loaded through trusted-looking files
ShadowPad remains the main malware family in this campaign. It is a modular backdoor that has been used by APT41 and later shared among several China-aligned intrusion sets.
Trend Micro found that SHADOW-EARTH-053 used a three-file loading method. The chain included a legitimate signed executable, a malicious DLL, and an encrypted ShadowPad payload stored on disk or in the Windows Registry.
This approach helps attackers hide malicious activity behind files that look legitimate. Researchers saw abused executables connected to vendors including Samsung Electronics and Mainline Net Holdings.
| Loading stage | Purpose |
|---|---|
| Signed executable | Runs normally but can be abused for DLL sideloading |
| Malicious DLL | Loads the encrypted ShadowPad payload |
| Encrypted payload | Stores ShadowPad on disk or in the registry |
| Registry storage | Helps hide the payload and reduce obvious file artifacts |
The Toshiba Bluetooth loader shows the group’s evasion tactics
One notable loader used a legitimate Toshiba Bluetooth Stack executable renamed to CIATosBtKbd.exe. It sideloaded a malicious DLL named TosBtKbd.dll.
Instead of embedding the payload directly inside the file, the loader pulled shellcode from a machine-specific registry key under HKEY_CURRENT_USER\Software. This made the payload harder to inspect with basic file analysis.
Trend Micro also found persistence through a scheduled task named M1onltor. The task ran the sideloaded binary every five minutes with high privileges.
Who was targeted
The campaign mainly focused on government entities and critical infrastructure in Asia. Trend Micro listed targets in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan.
The operation also affected technology and IT consulting firms, especially those with government or defense-sector customers. That targeting suggests attackers may have used contractors as stepping stones into more sensitive environments.
The Register also reported that Poland was among the affected countries. This matters because it shows the campaign did not stay limited to Asian targets.
| Target area | Why it matters |
|---|---|
| Government ministries | High-value diplomatic and policy data |
| Defense-linked contractors | Possible access to military or procurement information |
| IT consulting firms | Potential route into government customers |
| Transportation organizations | Strategic infrastructure visibility |
| European NATO-linked target | Shows reach beyond Asia |
Why this campaign is hard to clean up
Exchange and IIS compromises can leave behind more than one access path. A server may receive a patch later, but a web shell, stolen credential, scheduled task, tunneling tool, or registry payload can remain active.
That is why patching alone does not finish the response. Organizations that exposed vulnerable Exchange or IIS servers need to hunt for post-exploitation activity.
Security teams should pay close attention to w3wp.exe spawning command shells, reconnaissance tools, or unusual child processes. They should also check public web directories for unexpected .aspx, .ashx, or .jsp files.
- Check Exchange and IIS logs for exploitation attempts.
- Search web directories for unknown server-side scripts.
- Review w3wp.exe child processes for command execution.
- Look for unusual files in C:\Users\Public and C:\Windows\Temp.
- Hunt for ShadowPad DLL sideloading patterns.
- Review scheduled tasks, especially unusual recurring tasks.
How organizations should respond
Organizations should apply the latest Exchange Server and IIS security updates as the first step. Systems that remain exposed and unpatched give attackers a known route into the network.
If immediate patching is not possible, Trend Micro recommends using IPS or WAF protections tuned to block exploitation of known vulnerabilities. These controls can help reduce risk while teams prepare updates.
Administrators should also harden IIS. That includes limiting w3wp.exe privileges, removing unused modules and handlers, and preventing IIS processes from launching unauthorized tools.
| Priority | Recommended action |
|---|---|
| Patch | Apply the latest Exchange and IIS security updates. |
| Protect | Use WAF or IPS rules when patching cannot happen immediately. |
| Harden | Run IIS worker processes with the least privileges possible. |
| Monitor | Alert when w3wp.exe launches cmd.exe, powershell.exe, or whoami.exe. |
| Hunt | Search for GODZILLA web shells, ShadowPad loaders, and tunneling tools. |
What defenders should watch for
High-value detections include web shell creation in Exchange and IIS paths, suspicious outbound traffic from web servers, and signed executables loading unexpected DLLs.
Security teams should also monitor for tools such as IOX, GOST, Wstunnel, Mimikatz, and Sharp-SMBExec. These tools can appear after the initial compromise and help attackers move deeper into a network.
Because this campaign used known flaws, defenders should also check older incidents. Trend Micro found overlap with another cluster, SHADOW-EARTH-054, and said some environments were compromised months before ShadowPad appeared.
FAQ
Many organizations still run legacy or unpatched servers. Attackers continue to scan for those systems because known exploits can still work when patches are missing.
ShadowPad is a modular backdoor used in espionage campaigns. It can support long-term access, command execution, data theft, and other post-compromise activity.
The group exploited known Microsoft Exchange vulnerabilities, including the ProxyLogon chain: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
SHADOW-EARTH-053 is a temporary name Trend Micro uses for a China-aligned cyberespionage activity cluster targeting government, defense, technology, and infrastructure organizations
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages