Executive Summary
SHADOW-EARTH-053 is a China-aligned cyberespionage intrusion cluster that has been operating against government ministries, defence organisations, and critical infrastructure across South, East, and Southeast Asia since at least December 2024. Detailed analysis published by Trend Micro and Broadcom/Symantec in April–May 2026 reveals a campaign that exploits unpatched Microsoft Exchange and IIS vulnerabilities, deploys the ShadowPad backdoor via DLL sideloading, and pivots through legitimate remote access tools to maintain persistent access while minimising detection risk.
Uniquely, the campaign extends beyond traditional state and military targets to include journalists, civil society activists, and IT consultancies holding Ministry of Defence contracts — indicating a broad intelligence collection mandate that blends strategic and domestic surveillance objectives. At least one NATO member state, Poland, has been confirmed among the targets.
The breadth of targeting, combined with tooling and infrastructure overlaps with previously documented Chinese contractor groups, leads researchers to assess with moderate confidence that commercial entities operating under Chinese state direction may be responsible for the campaign.
Threat Actor Profile
SHADOW-EARTH-053 is a temporary intrusion set designation used by Trend Micro for a cluster of activity assessed to be China-aligned. The group shares tooling overlaps with Earth Alux and REF7707 — previously documented Chinese-nexus espionage actors — though SHADOW-EARTH-053 is treated as a distinct cluster pending further evidence of direct operational coordination.
The use of ShadowPad as a primary implant is a significant attribution indicator. ShadowPad is a modular remote access trojan that has been used almost exclusively by Chinese state-sponsored and contractor groups since it replaced PlugX as the preferred tool of the People’s Liberation Army Strategic Support Force (PLASSF) ecosystem in the early 2020s. Its appearance in this campaign is consistent with a Chinese state nexus.
A related intrusion set, SHADOW-EARTH-054, was found to have compromised nearly half of the same targets using identical tool hashes and overlapping TTPs. Researchers assess that SHADOW-EARTH-054 conducted independent exploitation of the same vulnerabilities rather than direct coordination — suggesting either parallel tasking by the same sponsoring authority, or opportunistic piggybacking on SHADOW-EARTH-053 footholds.
Targeting and Victim Sectors
The primary targeting focus is government ministries and defence organisations across the following countries: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. All represent strategically significant targets from a Chinese intelligence perspective — covering regional rivals, Belt and Road partner states, and countries with ongoing territorial or political tensions with Beijing.
The campaign’s reach beyond Asia to Poland is notable. Poland, a NATO member state with a significant defence industrial base and a frontline position in the alliance’s eastern flank, represents a strategic intelligence target for China across multiple dimensions: NATO military planning, European political sentiment on Taiwan, and weapons transfer activities to Ukraine.
Beyond direct government targeting, SHADOW-EARTH-053 also compromised IT consulting firms that listed the Ministry of Defence as a client. This supply chain targeting approach allows the adversary to access sensitive government data through third parties with potentially weaker security postures — a well-established technique in Chinese espionage operations, most famously deployed in Operation Cloud Hopper by APT10.
The targeting of journalists and civil society activists is a distinct dimension that aligns with Chinese domestic security priorities. Coverage from The Diplomat notes that the same campaign infrastructure was used to target Uyghur community organisations and pro-democracy media outlets — indicating that SHADOW-EARTH-053’s mandate encompasses both foreign intelligence collection and transnational repression.
TTPs and Tradecraft
Initial Access
The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers. The ProxyLogon vulnerability chain (CVE-2021-26855 and related CVEs) remains relevant despite being disclosed in 2021 — a significant number of Exchange servers globally remain unpatched or were inadequately remediated. SHADOW-EARTH-053’s ability to use this technique successfully in 2025–2026 is an indictment of patch management discipline across the affected organisations.
Web Shell Deployment
Post-exploitation access is established via GODZILLA web shells, which are dropped to Exchange or IIS server paths following initial exploitation. GODZILLA is a popular open-source web shell framework with Java and PHP variants that supports encrypted C2 communications, making it harder to detect in network traffic inspection. The web shell provides persistent, low-level access that survives system reboots and is not dependent on running processes that might be spotted by endpoint detection tools.
ShadowPad Deployment via DLL Sideloading
The primary implant is ShadowPad, deployed using a DLL sideloading technique that abuses legitimate, digitally signed executables — in this campaign, AnyDesk, the remote desktop application. The technique works as follows: a legitimate, signed executable that loads a DLL by name without verifying its path is placed alongside a malicious DLL with the matching name. When the legitimate executable runs, it loads the malicious DLL, executing attacker code under the cover of a trusted process.
Using AnyDesk as the vehicle is tactically clever. AnyDesk is widely deployed for legitimate remote support purposes, making its presence on enterprise systems unremarkable. Network defenders monitoring for anomalous process activity are less likely to flag AnyDesk connections as suspicious. Combined with ShadowPad’s encrypted C2 communications, this gives the adversary persistent access with a low detection probability.
Command and Control
ShadowPad communicates with attacker-controlled C2 infrastructure over encrypted channels. The modular architecture of ShadowPad allows the operator to deploy additional capabilities post-infection — including keyloggers, credential harvesters, and data exfiltration modules — without deploying additional tooling that might trigger detection.
Historical Context and Related Activity
ShadowPad’s lineage traces to PlugX, the long-dominant implant of Chinese state-sponsored operations. ShadowPad emerged publicly in 2017 when it was discovered embedded in a supply chain compromise of NetSarang server management software — an early example of Chinese actors using software supply chains for broad compromise. Since then, it has appeared in confirmed operations by multiple Chinese APT clusters including APT41, APT15, and numerous PLASSF-affiliated groups.
The use of Exchange and IIS vulnerabilities for initial access has been a consistent Chinese espionage technique since the ProxyLogon disclosure in March 2021. CISA and NCSC have issued repeated advisories on the persistence of these vulnerabilities in government and critical infrastructure networks. SHADOW-EARTH-053’s continued successful exploitation of these attack surfaces suggests that advisory-driven patching cycles remain insufficient in many target sectors.
Defensive Implications
For government and defence organisations:
Patch internet-facing Exchange and IIS infrastructure immediately if this has not already been done. The ProxyLogon chain has been exploited extensively for five years; its continued relevance in 2026 campaigns reflects systemic patching failures rather than novel attack capability. Treat any internet-facing Exchange server as a high-priority target for both patching and enhanced monitoring.
Audit web shell presence on Exchange and IIS servers. GODZILLA and similar web shells are frequently placed in predictable paths. Web shell scanners including Microsoft’s own Exchange Emergency Mitigation Service (EEMS) should be run against affected server classes.
For IT service providers to government:
Third-party suppliers holding government contracts are a high-value target for Chinese espionage operations. Organisations in this category should treat themselves as targets, not bystanders. Implement network segmentation between government-client-facing systems and internal infrastructure, and conduct regular threat hunts for ShadowPad-associated indicators.
For all sectors:
Monitor for DLL sideloading activity — particularly where legitimate signed executables (AnyDesk, and similar remote access tools) are found in unexpected file paths alongside unknown DLLs. Hunt for GODZILLA web shell indicators in IIS and Exchange logs. Review AnyDesk deployment policies; if the tool is not actively used in your environment, consider blocking its execution.
Indicators of Compromise:
Trend Micro and Broadcom have published IoCs associated with this campaign including ShadowPad C2 infrastructure, GODZILLA web shell hashes, and DLL sideloading artefacts. Defenders should import these into threat intelligence platforms and SIEM detection rules.
Assessment
SHADOW-EARTH-053 represents the current state of Chinese strategic espionage: patient, technically disciplined, and calibrated to avoid disruption in favour of persistent access and data collection. The simultaneous targeting of government ministries, defence contractors, and civil society activists indicates a broad intelligence mandate that spans both foreign policy and domestic security objectives.
The presence of this activity in Poland extends the campaign’s significance beyond Asia. As NATO member states increase defence spending and deepen military cooperation in response to the war in Ukraine, Chinese intelligence collection against alliance infrastructure and decision-making is a structural priority — not an opportunistic side-effect.
For organisations in Adversary Wire’s coverage sectors operating in affected regions or with supply chain relationships to affected governments, SHADOW-EARTH-053 activity represents a credible and current threat. The technical barriers to entry are low — unpatched Exchange servers remain widespread — and the adversary has demonstrated both the capability and intent to sustain operations over extended periods.