Full Report
Just in time for the Trump-Xi summit Exclusive A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.…
Analysis Summary
# Threat Actor: Shadow-Earth-053
## Attribution & Identity
* **Identification:** A novel China-linked cyber espionage group (tracked by TrendAI).
* **Aliases/Related Groups:**
* **Shadow-Earth-054:** A closely related group that shares identical tool hashes, overlapping techniques, and exploits the same vulnerabilities.
* **Associated Clusters:** Linked via network and tool overlaps to **CL-STA-0049** (Unit 42), **REF7707** (Elastic Security Labs), and **Earth Alux** (Trend Micro).
* **Strategic Comparison:** Likened to "Salt Typhoon" and "Volt Typhoon" due to their focus on prepositioning for sabotage and long-term persistence in critical infrastructure.
## Activity Summary
* **Timeline:** Activity began in December 2024, with operations uncovered as recently as April 2026.
* **Campaigns:** Infiltrated over a dozen critical networks globally. The group often maintains access for up to 8 months before deploying primary backdoors.
* **Geopolitical Context:** The activity is noted for its timing ahead of the May 2026 Trump-Xi summit.
## Tactics, Techniques & Procedures
* **Initial Access:**
* Exploitation of external services, specifically **Microsoft Exchange Servers** (ProxyLogon chain).
* Possible use of stolen credentials or prior compromises to deliver payloads via legitimate tools like **AnyDesk**.
* **Persistence & Lateral Movement:**
* Deployment of "C2 on a sleep cycle" for long-term burrowing.
* Use of Windows Management Instrumentation Command-line (**WMIC**) for lateral movement.
* Installation of backdoors on additional internal hosts using stolen administrative credentials.
* **Evasion:**
* Renaming legitimate Windows system binaries to bypass process-based detection.
* Use of **RingQ** (open-source Chinese packer) to evade security solutions.
* Use of domain names impersonating security companies or DNS protocols.
* **Credential Access:** Collection of credentials using tools like **Evil-CreateDump**.
* **MITRE ATT&CK IDs (Inferred from text):**
* T1190 - Exploit Public-Facing Application
* T1505.003 - Server Software Component: Web Shell
* T1047 - Windows Management Instrumentation
* T1036 - Masquerading
* T1003 - OS Credential Dumping
* **Vulnerability IDs:** CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (ProxyLogon); CVE-2025-55182 (React Server Components).
## Targeting
* **Sectors:** Defense ministries, defense contractors, government agencies, technology firms, transportation industry, and critical infrastructure.
* **Geography:** Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland.
* **Victims:** Over a dozen critical networks; specifically mentioned is a defense-sector organization in Poland.
## Tools & Infrastructure
* **Malware:**
* **ShadowPad:** A custom backdoor shared among China-aligned groups.
* **NoodleRat:** A Linux-based backdoor.
* **Godzilla:** A common Chinese-language web shell.
* **Software/Utilities:** AnyDesk (for delivery/access), RingQ (packing), Evil-CreateDump (credential dumping).
* **Infrastructure:** C2 domains designed to impersonate legitimate security products and DNS protocols (specific IOCs not listed in text, but categorized as "impersonation" domains).
## Implications
* **Sabotage Capability:** Similar to Volt Typhoon, the group appears to be "prepositioning" assets within critical infrastructure. This suggests a transition from pure espionage to maintaining the capability for destructive "wiper" attacks or sabotage should geopolitical tensions escalate.
* **Strategic Reach:** The targeting of Poland (a NATO member) indicates an expansion of Chinese cyber operations into European defense sectors supportive of Taiwan or aligned with U.S. interests.
## Mitigations
* **Patch Management:** Immediate patching of historical Microsoft Exchange vulnerabilities (ProxyLogon) and the newer React Server Components flaw (CVE-2025-55182).
* **Tool Monitoring:** Implement environment-wide monitoring for unauthorized or renamed Windows system binaries and unauthorized use of remote desktop software like AnyDesk.
* **Identity Security:** Enforce multi-factor authentication (MFA) and monitor for lateral movement via WMIC and administrative credential abuse.
* **Egress Filtering:** Hunt for persistent "sleeping" C2 traffic and suspicious domain patterns imitating security vendors.