Trend Micro researchers have disclosed a sophisticated multi-stage espionage campaign attributed to a China-aligned threat group, tracked under the temporary designation SHADOW-EARTH-053. Active since at least December 2024, the campaign has targeted government agencies and critical infrastructure across eight countries in South and Southeast Asia, deploying a combination of ShadowPad malware, covert proxy tools, and living-off-the-land techniques to maintain long-term, hidden presence inside victim networks.
Initial Access: Unpatched Exchange and IIS Servers
The attackers gain initial access by exploiting known but unpatched vulnerabilities in Microsoft Exchange and Internet Information Services (IIS) servers. The group specifically targeted the ProxyLogon vulnerability chain — comprising CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — flaws that have had available patches for years yet remain unaddressed in many enterprise environments, particularly within government agencies managing legacy infrastructure.
Following successful exploitation, the attackers deploy GODZILLA web shells to establish persistent backdoor access, enabling remote command execution at will without requiring re-exploitation of the initial access vector.
ShadowPad: A Shared Espionage Tool
The primary implant used across this campaign is ShadowPad, a modular backdoor originally developed by APT41 in 2017 and subsequently shared among multiple China-aligned threat groups from 2019 onward. ShadowPad’s modular architecture allows operators to load and unload capabilities dynamically, making it highly adaptable for different espionage objectives while minimizing the on-disk footprint at any given time.
Researchers identified a closely related cluster, SHADOW-EARTH-054, sharing identical tool hashes and overlapping attack methodologies. In nearly half of the targeted environments, both clusters had compromised the same organizations simultaneously. Confirmed victims span Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland, with assessments pointing to Chinese strategic intelligence interests as the primary motivation.
DLL Sideloading: Blending In With Legitimate Software
One of the most technically notable aspects of this campaign is the ShadowPad loading mechanism. The attackers use a DLL sideloading technique, placing a malicious DLL alongside legitimate signed executables from vendors including Toshiba, Samsung, and Microsoft. When the legitimate program launches, it inadvertently loads the malicious DLL in its place.
What makes this loader exceptionally stealthy is that the ShadowPad payload is not stored within the DLL itself. Instead, the loader retrieves an AES-encrypted payload from a machine-specific registry key located at HKEY_CURRENT_USER\Software. This design means that the malicious DLL appears largely benign in static analysis, and the payload only materializes in memory at runtime — significantly hampering forensic investigation and detection by signature-based security tools.
Persistence was maintained through a scheduled task named M1onltor, configured to execute the sideloaded binary every five minutes with the highest available system privileges.
Lateral Movement and Credential Harvesting
Beyond the initial foothold, the attackers deployed several additional tools to expand their access:
- IOX proxy to establish covert communication channels back to attacker-controlled infrastructure
- WMIC (Windows Management Instrumentation Command-line) to push backdoors onto additional hosts within the network
- GOST and Wstunnel open-source tunneling tools to route traffic over SOCKS5 and HTTPS connections, evading network-level monitoring
- Mimikatz and Evil-CreateDump executed through IIS worker processes to harvest credentials and Active Directory account data from memory
The use of IIS worker processes as the execution vehicle for credential-harvesting tools is a deliberate living-off-the-land tactic, leveraging a trusted system process to run offensive tooling and reduce the likelihood of triggering endpoint detection rules.
Detection and Response Guidance
- Patch Exchange and IIS servers immediately — organizations still running unpatched ProxyLogon-era versions are actively being targeted.
- Hunt for the M1onltor scheduled task and suspicious DLL sideloading patterns involving executables from Toshiba, Samsung, and Microsoft binaries in non-standard directories.
- Audit
HKCU\Softwareregistry keys for unexpected encrypted binary blobs that may represent staged ShadowPad payloads. - Monitor WMIC execution from web server processes (IIS, Apache) and alert on lateral movement patterns originating from server infrastructure.
- Deploy network monitoring for SOCKS5 tunneling and unusual HTTPS traffic patterns to unfamiliar external endpoints.
This campaign reflects the maturity and patience of China-aligned espionage operations, which routinely exploit legacy vulnerabilities in under-resourced government environments and maintain persistence for months or years before detection. Organizations operating critical national infrastructure in the affected regions should treat ShadowPad indicators of compromise as a high-priority investigation trigger.