China-Aligned SHADOW-EARTH-053 Exploits Exchange Servers to Deploy

A China-aligned threat group, identified as SHADOW-EARTH-053, is actively exploiting unpatched Microsoft Exchange Server vulnerabilities to conduct cyberespionage. These sophisticated operations target government and defense-linked entities across Asia and beyond, according to <a rel="noreferrer noopener" target="_blank" href="https://ppl-ai-file-upload

The group’s activity dates back to at least December 2024, with campaigns targeting at least eight countries, including government ministries, defense contractors, IT consulting firms, and transportation organizations concentrated across South, East, and Southeast Asia.

At least one NATO member state in Europe, identified as Poland, was also targeted, pointing to a broader strategic footprint beyond the Asian region.

Trend Micro analysts Daniel Lunghi and Lucas Silva identified this campaign through ongoing analysis of ShadowPad implants targeting South and Southeast Asia, tracking the activity under the temporary intrusion set designation SHADOW-EARTH-053, which they assess to be aligned with China’s broader strategic interests.

The researchers noted significant overlaps with a related intrusion set, SHADOW-EARTH-054, whose activities frequently predated the deployment of ShadowPad implants by several months, sharing identical tool hashes and overlapping tactics, techniques, and procedures (TTPs).

Given the target profiles and operational patterns, the researchers assess these operations are primarily aimed at cyberespionage and intellectual property theft.

The primary attack vector involves exploiting N-day (known but unpatched) vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers.

Specifically, SHADOW-EARTH-053 leveraged the ProxyLogon chain of vulnerabilities, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Despite these vulnerabilities being years old, they remained effective entry points in environments running legacy or unpatched Exchange installations, confirming that organizations that have not applied patches continue to face significant risk of mailbox compromise, credential theft, and prolonged attacker access.

The impact of this campaign is substantial. The group successfully compromised government ministries, defense-adjacent IT contractors, and transportation organizations across at least eight countries.

In some cases, SHADOW-EARTH-053 used its access to the victim’s Exchange server to install a snap-in for Exchange management, then enumerated high-value mailboxes and exported their contents using a custom ExchangeExport tool via the Exchange Web Services (EWS) API, a technique Microsoft has previously observed in Silk Typhoon (Hafnium) operations.

ShadowPad Delivery and DLL Sideloading

The primary malware used by SHADOW-EARTH-053 is ShadowPad, an advanced modular implant first used by APT41 since 2017 and later shared among multiple China-aligned intrusion sets starting in 2019.

The variant deployed by this group lacks the advanced obfuscation and anti-debugging features seen in builds used by other groups, suggesting SHADOW-EARTH-053 has access only to an older builder rather than the source code itself.

Across observed intrusions, the group consistently used a three-file loading mechanism to deploy ShadowPad.

This mechanism consists of a legitimate signed executable vulnerable to DLL sideloading, a malicious DLL that loads the payload from disk or from the Windows Registry, and an encrypted ShadowPad payload stored in the registry then deleted after its first use.

Notably, the group abused executables from software signed by recognized vendors, including Samsung Electronics and Mainline Net Holdings, to mask the sideloading activity.

A key loader used in this campaign involved a legitimate Toshiba Bluetooth Stack executable renamed to CIATosBtKbd.exe to sideload a malicious DLL named TosBtKbd.dll.

This loader retrieves its payload from the Windows Registry rather than embedding it within the binary, calling GetComputerNameA to identify the host and access a machine-specific registry key at Ht HKEY_CURRENT_USERSoftware.

Organizations running internet-facing Microsoft Exchange or IIS infrastructure should take the following steps based on guidance from the research findings:-

• Apply the latest security updates and cumulative patches to Microsoft Exchange and all web applications hosted on IIS immediately.
• Where immediate patching is not possible, deploy Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets tuned to block exploit attempts against known CVEs.
• Implement strict File Integrity Monitoring (FIM) on critical web directories such as C:inetpubwwwroot and Exchange Client Access paths, with alerts configured for creation or modification of executable server-side scripts (.aspx, .ashx, .jsp).
• Ensure the IIS worker process (w3wp.exe) runs with the lowest possible privileges and does not have administrative rights or the ability to write to arbitrary directories.
• Remove unnecessary IIS modules and handlers not required for business operations to reduce the attack surface.
• Enforce application whitelisting policies that prevent the IIS process from launching unauthorized binaries or script interpreters.
• Set up alerts for when the IIS worker process spawns command shells (cmd.exe, powershell.exe) or reconnaissance tools (whoami.exe, net.exe), as this is a high-fidelity indicator of remote code execution.
• Monitor for unexpected outbound connections initiated by the web server, which may indicate command-and-control (C2) communication.
• Monitor and restrict access to directories commonly used as staging grounds, including C:ProgramData, C:UsersPublic, C:PerfLogs, and C:WindowsTemp.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.