Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/Threats/China-Aligned SHADOW-EARTH-053 Exploits Exchange Servers With ShadowPad Malware
Threats

China-Aligned SHADOW-EARTH-053 Exploits Exchange Servers With ShadowPad Malware

Key Takeaways A Chinese state-aligned threat group, SHADOW-EARTH-053, is actively targeting government and defense sectors globally. The group exploits unpatched Microsoft Exchange Server...

Emy Elsamnoudy
Emy Elsamnoudy
May 5, 2026 4 Min Read
41 0

Key Takeaways

  • A Chinese state-aligned threat group, SHADOW-EARTH-053, is actively targeting government and defense sectors globally.
  • The group exploits unpatched Microsoft Exchange Server vulnerabilities, specifically the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
  • ShadowPad malware is deployed via a sophisticated DLL sideloading technique, often using legitimate signed executables.
  • Targets include entities in South, East, and Southeast Asia, and a NATO member state in Europe, indicating a broad espionage scope.

A sophisticated cyberespionage campaign, attributed to the China-aligned threat group SHADOW-EARTH-053, is leveraging known but unpatched vulnerabilities in Microsoft Exchange Servers to infiltrate government and defense-related organizations. This extensive operation, which began in late 2024, targets entities across Asia and has also impacted a NATO member in Europe, according to a detailed analysis by Trend Micro researchers Daniel Lunghi and Lucas Silva.

Table Of Content

  • Key Takeaways
  • Exploiting Legacy Vulnerabilities
  • ShadowPad Delivery and DLL Sideloading
  • What You Should Do

The threat group’s activities span at least eight countries, compromising government ministries, defense contractors, IT consulting firms, and transportation organizations, primarily concentrated in South, East, and Southeast Asia. Notably, Poland, a NATO member state, has also been identified as a target, highlighting the global reach and strategic intent of these operations beyond the Asian continent.

Lunghi and Silva identified this campaign through their ongoing investigation into ShadowPad malware implants prevalent in South and Southeast Asia. They assigned the temporary designation SHADOW-EARTH-053, assessing its alignment with China’s broader strategic objectives. The researchers also noted significant overlaps with another intrusion set, SHADOW-EARTH-054, which frequently preceded the deployment of ShadowPad implants by several months, sharing identical tool hashes and similar tactics, techniques, and procedures (TTPs). Based on the nature of the targets and operational patterns, the researchers conclude these operations are primarily focused on cyberespionage and the theft of intellectual property.

Exploiting Legacy Vulnerabilities

The primary entry point for SHADOW-EARTH-053 involves exploiting N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers. Specifically, the group has utilized the ProxyLogon chain of vulnerabilities, which includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Despite being several years old, these vulnerabilities remain effective against organizations that have not applied necessary patches, leaving them exposed to mailbox compromises, credential theft, and prolonged attacker access.

The impact of this campaign has been substantial, with successful compromises of sensitive entities across multiple nations. In some instances, SHADOW-EARTH-053 leveraged its access to the victim’s Exchange server to install an Exchange management snap-in. Subsequently, the group enumerated high-value mailboxes and exported their contents using a custom ExchangeExport tool via the Exchange Web Services (EWS) API. This technique has been previously observed by Microsoft in operations conducted by the Silk Typhoon (Hafnium) threat group, indicating a shared or similar operational methodology.

ShadowPad Delivery and DLL Sideloading

The primary payload deployed by SHADOW-EARTH-053 is ShadowPad, a modular implant first associated with APT41 in 2017 and later adopted by various China-aligned intrusion sets since 2019. The variant utilized by this group reportedly lacks the advanced obfuscation and anti-debugging features found in newer builds, suggesting that SHADOW-EARTH-053 may have access to an older builder rather than the malware’s source code itself.

The group consistently employs a three-file loading mechanism to deploy ShadowPad. This method involves a legitimate, signed executable vulnerable to DLL sideloading, a malicious DLL responsible for loading the payload from disk or the Windows Registry, and an encrypted ShadowPad payload. The payload is initially stored in the registry and then deleted after its first execution. To further evade detection, the group abuses executables signed by reputable vendors, such as Samsung Electronics and Mainline Net Holdings, to mask the DLL sideloading activity.

One notable loader observed in this campaign involved a legitimate Toshiba Bluetooth Stack executable, renamed to CIATosBtKbd.exe, which sideloads a malicious DLL named TosBtKbd.dll. This loader retrieves its payload from the Windows Registry instead of embedding it directly within the binary. It identifies the host by calling GetComputerNameA and accesses a machine-specific registry key located at Ht HKEY_CURRENT_USERSoftware.

What You Should Do

Organizations operating internet-facing Microsoft Exchange or IIS infrastructure must prioritize the following mitigation steps:

  • Immediately apply the latest security updates and cumulative patches to all Microsoft Exchange servers and web applications hosted on IIS.
  • If immediate patching is not feasible, deploy Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with robust rulesets configured to block exploit attempts against known CVEs.
  • Implement strict File Integrity Monitoring (FIM) on critical web directories, such as C:inetpubwwwroot and Exchange Client Access paths, and configure alerts for the creation or modification of executable server-side scripts (e.g., .aspx, .ashx, .jsp).
  • Ensure the IIS worker process (w3wp.exe) operates with the principle of least privilege, explicitly preventing it from having administrative rights or the ability to write to arbitrary directories.
  • Remove any unnecessary IIS modules and handlers that are not essential for business operations to reduce the attack surface.
  • Enforce application whitelisting policies to prevent the IIS process from launching unauthorized binaries or script interpreters.
  • Set up alerts for instances where the IIS worker process spawns command shells (cmd.exe, powershell.exe) or reconnaissance tools (whoami.exe, net.exe), as these are strong indicators of remote code execution.
  • Actively monitor for unexpected outbound connections initiated by the web server, which may signal command-and-control (C2) communication.
  • Monitor and restrict access to common staging directories, including C:ProgramData, C:UsersPublic, C:PerfLogs, and C:WindowsTemp.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwarePatchSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

ScarCruft Supply Chain Attack Backdoors Windows and Android Gaming Platform

Next Post

Cisco Acquires Astrix Security to Boost AI Agent and Non-Human Identity Security

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us