Trend Micro has discovered a series of cyber espionage campaigns attributed to a China-aligned threat cluster it tracks as SHADOW-EARTH-053, targeting government entities and critical infrastructure across South, East, and Southeast Asia (Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan), as well as the NATO member Poland.
The attackers primarily leveraged N-day flaws in Microsoft Exchange Server and Internet Information Services, including techniques similar to the ProxyLogon chain. The threat actors exploited unpatched servers to deploy GODZILLA web shells, establishing persistent remote access and enabling command execution on compromised systems.
Trend Micro noted that nearly half of the SHADOW-EARTH-053 victims had also been breached earlier by a related intrusion set, tracked as SHADOW-EARTH-054. While both clusters share identical malware hashes and overlapping tactics, techniques, and procedures, researchers found no evidence of direct coordination, which could mean the groups exploited the flaws in parallel rather than in joint operations.
Following initial compromise, attackers used the web shells as a means for deeper network intrusion, including reconnaissance and credential harvesting. The attackers have also deployed the ShadowPad backdoor using the DLL sideloading technique, in which legitimate signed executables are abused to load malicious libraries. In some cases, researchers observed the threat actor using the AnyDesk remote access tool to deliver payloads and establish persistence.
In at least one observed incident, the campaign leveraged CVE-2025-55182 aka React2Shell to deliver a Linux variant of Noodle RAT, a malware family also referred to as ANGRYREBEL. This specific attack chain has been linked by Google Threat Intelligence Group to a separate cluster tracked as UNC6595, indicating potential overlap in tooling or shared exploitation methods.
The attackers also employed a range of post-exploitation utilities, including tunneling tools such as IOX, GOST, and Wstunnel to maintain covert command-and-control channels, as well as the RingQ packer to obfuscate malicious binaries. Credential theft and privilege escalation were conducted using Mimikatz, while lateral movement was achieved through a custom remote desktop protocol launcher and Sharp-SMBExec, a C# implementation of SMBExec.
“Organizations operating internet-facing Microsoft Exchange or IIS infrastructure, particularly in the affected regions, should treat this campaign as a strong signal to audit patch levels, review web shell detection capabilities, and scrutinize outbound traffic from web servers,” Trend Micro has advised. The company’s report also provides indicators of compromise (IoCs) to help organizations identify potential exposure to the threat.