Campaign

SHADOW-EARTH-053 Exchange/IIS espionage against government and defense networks

Updated 01.05.2026 17:02

Case score 55

Case score 55 Members 1 Latest activity 01.05.2026 17:02

Members 1 First seen 01.05.2026 17:02 Last seen 01.05.2026 17:02 Updated 01.05.2026 17:02

Overview

**SHADOW-EARTH-053** is exploiting internet-facing **Microsoft Exchange** and **IIS** systems to reach government and defense networks across South, East, and Southeast Asia and Poland. After access, the operators deploy **Godzilla** web shells, stage **ShadowPad** through **AnyDesk** and DLL sideloading, and in at least one chain use **CVE-2025-55182** to deliver **Linux Noodle RAT**. The activity has been active since at least December 2024 and uses tunneling, privilege-escalation, and lateral-movement tooling to sustain access. Available evidence indicates overlap with a related intrusion set for some victims, while the full scope of compromise remains unquantified.

Key facts

**SHADOW-EARTH-053** is actively targeting government and defense networks across South, East, and Southeast Asia and Poland.
Initial access starts with internet-facing **Microsoft Exchange** and **IIS** systems.
**Godzilla** web shells provide persistence and command execution, and **ShadowPad** is staged through **AnyDesk** and DLL sideloading.
One intrusion chain used **CVE-2025-55182** to deliver **Linux Noodle RAT**.
The activity has been active since at least December 2024 and uses tools such as **IOX**, **GOST**, **Wstunnel**, **RingQ**, **Mimikatz**, **Sharp-SMBExec**, and custom RDP tooling.
Nearly half of the identified targets, including organizations in Malaysia, Sri Lanka, and Myanmar, were also previously compromised by a related intrusion set.
Trend Micro recommends applying security updates and cumulative patches or using IPS/WAF virtual patching when immediate updates are not feasible.

Malware context

3 families · 3 tools

Tools

HealthKick Mimikatz Sharp-SMBExec

Signals

10 derived

CVEs/products

CVE

Victims/regions

Sector government Victim region Malaysia Victim region Myanmar Victim region Poland Victim region Sri Lanka Victim region United States

Threat context

Actor SHADOW-EARTH-053 Malware Tooling

Member happenings

1 related

Campaign SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Updated 01.05.2026 17:02 Lead Contribution 55

Campaign Active Objective Espionage

**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**, creating persistent access for intelligence collection. The operation has been active since **at least December 2024** and uses **internet-facing Microsoft Exchange and IIS vulnerabilities** to gain entry, then deploys **Godzilla** web shells and **ShadowPad** implants. The intrusion chain also includes **CVE-2025-55182** in one case, plus tunneling, privilege-escalation, and lateral-movement tooling to extend reach inside victim networks.

View happening