Full Report
Just in time for the Trump-Xi summit
Analysis Summary
# Threat Actor: Shadow-Earth-053
## Attribution & Identity
* **Actor Identification:** Shadow-Earth-053 is a novel China-linked threat group characterized as a "younger brother" to established campaigns like Volt Typhoon and Salt Typhoon.
* **Aliases/Associated Groups:**
* **Shadow-Earth-054:** A closely related group sharing identical tool hashes, overlapping techniques, and exploiting the same vulnerabilities.
* **Related Clusters:** Linked to activities tracked as CL-STA-0049 (Palo Alto Unit 42), REF7707 (Elastic), and Earth Alux (Trend Micro).
* **Affiliation:** China-aligned espionage group.
## Activity Summary
Activity was first observed in December 2024, with operations continuing through April 2026. The group has been found lurking in more than a dozen critical networks across Poland and Asia. Notably, the group often compromises organizations months (up to 8 months) before deploying persistent backdoors, suggesting a high degree of patience and prepositioning activity ahead of major geopolitical events, such as the May 2026 Trump-Xi summit.
## Tactics, Techniques & Procedures
* **Initial Access:**
* Exploitation of external-facing services, primarily Microsoft Exchange Servers.
* Use of ProxyLogon (CVE-2021-26855) and related chains.
* Exploitation of React Server Components (CVE-2025-55182) for RCE.
* Possible use of stolen credentials or prior compromises via AnyDesk.
* **Persistence & Persistence:**
* Deployment of "C2 on a sleep cycle" to maintain long-term stealthy access.
* Installation of Godzilla web shells.
* **Evasion:**
* **Binary Packing:** Use of the open-source Chinese tool **RingQ** to evade security software.
* **Masquerading:** Renaming legitimate Windows system binaries to hide malicious processes.
* **Domain Squatting:** Using C2 domains that impersonate security companies or legitimate DNS protocols.
* **Lateral Movement:**
* Utilization of Windows Management Instrumentation Command-line (WMIC).
* Credential harvesting for moving between internal Exchange servers.
* **MITRE ATT&CK Tracking:**
* Exploit Public-Facing Application (T1190)
* Windows Management Instrumentation (T1047)
* Web Shell (T1505.003)
* Masquerading (T1036)
## Targeting
* **Sectors:** Government agencies, Defense ministries/contractors, Technology firms, Transportation, and Critical Infrastructure.
* **Geography:** Primarily Asia (Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan) and Eastern Europe (Poland).
* **Victims:** Over a dozen critical networks; specifically nations aligned with the U.S. or supportive of Taiwan’s independence.
## Tools & Infrastructure
* **Malware:**
* **ShadowPad:** Custom backdoor shared among Chinese actors.
* **NoodleRat:** A Linux-based backdoor used for cross-platform persistence.
* **Godzilla:** A common Chinese-language web shell.
* **Tools:**
* **RingQ:** Binary packer/evasion tool.
* **Evil-CreateDump:** Credential harvesting tool.
* **AnyDesk:** Legitimate RDP tool abused for malware delivery.
* **Infrastructure:**
* C2 domains mimicking security products or DNS traffic (specific domains not listed in text).
## Implications
The group’s activity is assessed as "prepositioning" for future sabotage. Much like **Volt Typhoon**, Shadow-Earth-053 focuses on "colonizing" infrastructure to maintain destructive potential (wipers) should geopolitical tensions exacerbate. Their presence in Poland, a NATO member, highlights an expansion of targeting against Western-aligned defense interests.
## Mitigations
* **Patch Management:** Immediate priority on patching legacy Microsoft Exchange vulnerabilities (ProxyLogon) and the critical React Server Components flaw (CVE-2025-55182).
* **Credential Security:** Implement MFA and monitor for the use of credential dumping tools like Evil-CreateDump.
* **Host-Based Monitoring:** Scrutinize renamed Windows system binaries and the execution of WMIC commands for lateral movement.
* **Network Auditing:** Hunt for "sleeping" C2 traffic—low and slow beaconing that mimics legitimate security or DNS services.