Full Report
Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to
Analysis Summary
# Threat Actor: SHADOW-EARTH-053
## Attribution & Identity
* **Identification:** SHADOW-EARTH-053 is a China-aligned espionage threat cluster.
* **Aliases/Associations:**
* Associated with tracking designations **CL-STA-0049**, **Earth Alux**, and **REF7707** due to network overlaps.
* Linked to activities tracked by Google Threat Intelligence Group (GTIG) as **UNC6595**.
* Observed operational overlap (victim sharing) with a related set dubbed **SHADOW-EARTH-054**.
## Activity Summary
The group has been active since at least December 2024. Recent campaigns involve the exploitation of N-day vulnerabilities in internet-facing servers to gain a foothold in government and defense networks. Once inside, the actor deploys persistence mechanisms and backdoors to facilitate long-term espionage.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of N-day vulnerabilities in Microsoft Exchange (e.g., ProxyLogon chain) and Internet Information Services (IIS) applications. [T1190]
* **Persistence:** Deployment of Godzilla web shells. [T1505.003]
* **Execution & Evasion:** Use of DLL side-loading using legitimate signed executables to launch implants. [T1574.002]
* **Defense Evasion:** Use of **RingQ** to pack malicious binaries and evade security software. [T1027]
* **Privilege Escalation:** Use of Mimikatz. [T1003]
* **Lateral Movement:** Use of a custom RDP launcher and **Sharp-SMBExec** (a C# implementation of SMBExec). [T1021.001], [T1021.002]
* **Command and Control:** Utilization of AnyDesk for remote access and various tunneling tools.
## Targeting
* **Sectors:** Government, Defense, Journalists, and Civil Society Activists (Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora).
* **Geography:**
* **Asia:** Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan.
* **Europe:** Poland (NATO member state).
* **Victims:** International Consortium of Investigative Journalists (ICIJ) and specific journalists (Scilla Alecci).
## Tools & Infrastructure
* **Malware Families:**
* **ShadowPad:** Advanced modular backdoor.
* **Godzilla:** Web shell for persistent access.
* **Noodle RAT:** (aka ANGRYREBEL/Nood RAT) Cross-platform (Linux version observed) RAT.
* **Tunneling Tools:** IOX, GO Simple Tunnel (GOST), and Wstunnel.
* **Additional Tools:** AnyDesk, Mimikatz, Sharp-SMBExec, RingQ.
* **Entry Point/Vulns:**
* Microsoft Exchange (ProxyLogon).
* React2Shell (CVE-2025-55182).
## Implications
SHADOW-EARTH-053 represents a sophisticated state-aligned threat focused on geographic regions of high strategic interest to China. Their ability to weaponize recent vulnerabilities (CVE-2025-55182) and use cross-platform malware (Noodle RAT) indicates a highly capable and adaptive adversary. The focus on NATO members and Asian defense sectors suggests a primary mission of political and military intelligence gathering.
## Mitigations
* **Patch Management:** Prioritize immediate application of security updates for Microsoft Exchange and IIS-hosted applications.
* **Virtual Patching:** Deploy Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with specific rules for known Exchange and IIS vulnerabilities if physical patching is delayed.
* **Endpoint Security:** Monitor for DLL side-loading activities and the unauthorized use of remote management tools like AnyDesk or tunneling software (IOX, GOST).
* **Credential Protection:** Implement robust MFA and monitor for the use of Mimikatz or Sharp-SMBExec to prevent lateral movement.