Campaign
SHADOW-EARTH-053 Exchange/IIS espionage against government and defense networks
Updated 01.05.2026 17:02
Case score 55
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 55
- Main story score
- 55
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Campaign Core espionage campaign with web-shell access, implant staging, and lateral-movement tooling. main
Case score 55
Members 1
Latest activity 01.05.2026 17:02
Members 1
First seen 01.05.2026 17:02
Last seen 01.05.2026 17:02
Updated 01.05.2026 17:02
Overview
**SHADOW-EARTH-053** is exploiting internet-facing **Microsoft Exchange** and **IIS** systems to reach government and defense networks across South, East, and Southeast Asia and Poland. After access, the operators deploy **Godzilla** web shells, stage **ShadowPad** through **AnyDesk** and DLL sideloading, and in at least one chain use **CVE-2025-55182** to deliver **Linux Noodle RAT**.
The activity has been active since at least December 2024 and uses tunneling, privilege-escalation, and lateral-movement tooling to sustain access. Available evidence indicates overlap with a related intrusion set for some victims, while the full scope of compromise remains unquantified.
**SHADOW-EARTH-053** is exploiting internet-facing **Microsoft Exchange** and **IIS** systems to break into government and defense networks across South, East, and Southeast Asia and Poland. After access, the operators deploy **Godzilla** web shells for persistence and command execution, then stage **ShadowPad** through **AnyDesk** and DLL sideloading. At least one intrusion chain also used **CVE-2025-55182** to deliver **Linux Noodle RAT**.
The activity has been active since at least December 2024 and uses tunneling, privilege-escalation, and lateral-movement tooling including **IOX**, **GOST**, **Wstunnel**, **RingQ**, **Mimikatz**, **Sharp-SMBExec**, and custom RDP tooling. Available evidence indicates nearly half of the identified targets, including organizations in Malaysia, Sri Lanka, and Myanmar, were also previously compromised by a related intrusion set. Trend Micro recommends applying security updates and cumulative patches to exposed systems, or using IPS or WAF virtual patching when immediate updates are not feasible, while the full scope of compromise remains unquantified.
Signals
11 derivedImpact signals
CVEs/products
CVE
Victims/regions
Sector
government
Victim region
Malaysia
Victim region
Myanmar
Victim region
Poland
Victim region
Sri Lanka
Victim region
United States
Status
Campaign status
Active
Threat context
Actor
SHADOW-EARTH-053
Malware
Tooling
Malware context
3 families · 3 toolsTools
HealthKick
Mimikatz
Sharp-SMBExec
Member happenings
1 related
Campaign
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Objective
Espionage
Campaign
Active
Campaign
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Objective
Espionage
Campaign
Active