Home Threat Actors SHADOW-EARTH-053
← All Threat Actors
Nation-State high China (PRC)

SHADOW-EARTH-053

China-aligned (moderate confidence — assessed as possible state contractor) · Strategic espionage / transnational repression

Reports 1
Active Since 2024
Last Reported 22 May 2026
Sectors Targeted critical-infrastructure, communications

Tactics, Techniques & Procedures (TTPs)

  • N-day exploitation of internet-facing Microsoft Exchange and IIS servers (ProxyLogon chain)
  • GODZILLA web shell deployment for persistent command execution
  • ShadowPad backdoor delivery via DLL sideloading of legitimate AnyDesk binary
  • Dual targeting: government/defence entities and journalists/civil society activists
  • IT supply chain targeting — compromising consultancies with Ministry of Defence contracts
  • Encrypted C2 communications via ShadowPad modular architecture

Known Targets

Government ministries across South, East, and Southeast Asia (Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan)NATO member state infrastructure (Poland)Defence organisations and contractorsIT consultancies with government/MoD contractsJournalists and pro-democracy media outletsUyghur community organisations and civil society activists

Analyst Notes

Identified by Trend Micro and Broadcom in April–May 2026. The dual targeting of government/defence entities alongside journalists and Uyghur activists indicates both a foreign intelligence mandate and a domestic surveillance/transnational repression objective — a distinguishing characteristic of Chinese state-contracted operations. Closely related cluster SHADOW-EARTH-054 independently compromised roughly half the same targets using identical tool hashes, suggesting parallel tasking by the same sponsoring authority. The continued effectiveness of ProxyLogon-chain exploitation in 2026 reflects persistent patch management failures across affected sectors.

Also Known As

Overlaps with Earth AluxOverlaps with REF7707Related cluster: SHADOW-EARTH-054

MITRE ATT&CK Techniques

T1190 Exploit Public-Facing Application T1505.003 Server Software Component: Web Shell T1574.002 Hijack Execution Flow: DLL Side-Loading T1572 Protocol Tunneling T1071.001 Application Layer Protocol: Web Protocols

Intelligence Reports

Analysis critical-infrastructurecommunications

SHADOW-EARTH-053: Inside China's ShadowPad Espionage Campaign Against Asian Governments and NATO

A detailed examination of SHADOW-EARTH-053, a China-aligned cyberespionage cluster that has compromised government, defence, and critical infrastructure organisations across South, East, and Southeast Asia — and at least one NATO member state — since late 2024.

22 May 2026 · 12 min read