Back

China-Linked Cyber Espionage Campaign Targets Critical Infrastructure in Asia and South America

Severity: High (Score: 75.0)

Sources: www.trendmicro.com, www.elastic.co, Gbhackers, Theregister, Cybersecuritynews

Summary

A China-aligned threat group, identified as Shadow-Earth-053, has been conducting a sophisticated cyber espionage campaign since December 2024, targeting government agencies and critical infrastructure across at least eight countries, including Poland and several in Asia. The group utilizes advanced malware such as ShadowPad and employs tactics like exploiting vulnerabilities in Microsoft Exchange Servers. Recent reports indicate that this group has compromised networks for up to eight months before deploying their backdoor tools. Additionally, a separate campaign known as REF7707 has been targeting a South American foreign ministry, utilizing novel malware families and exhibiting poor operational security. The ongoing threat from these groups highlights the vulnerabilities in critical sectors, necessitating immediate action from cybersecurity professionals. Key Points: • Shadow-Earth-053 has targeted at least eight countries, including Poland and several Asian nations. • The group exploits vulnerabilities in Microsoft Exchange Servers to gain initial access. • REF7707 is another campaign targeting a South American foreign ministry with novel malware.

Key Entities

  • APT41 (apt_group)
  • Earth Alux (apt_group)
  • Salt Typhoon (apt_group)
  • Shadow-Earth-053 (apt_group)
  • Shadow-Earth-054 (apt_group)
  • Malware (attack_type)
  • Ref7707 (campaign)
  • Brazil (country)
  • India (country)
  • Malaysia (country)
  • Myanmar (country)
  • Pakistan (country)
  • CVE-2021-26855 (cve)
  • CVE-2021-26857 (cve)
  • CVE-2021-26858 (cve)
  • CVE-2021-27065 (cve)
  • CVE-2025-55182 (cve)
  • Defense (industry)
  • Government (industry)
  • Technology (industry)
  • Telecommunications (industry)
  • Transportation (industry)
  • 47.83.8.198 (ipv4)
  • FinalDraft (malware)
  • GodZilla (malware)
  • Guidloader (malware)
  • NoodleRat (malware)
  • Pathloader (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.002 - SMB/Windows Admin Shares (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1047 - Windows Management Instrumentation (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • IIS (platform)
  • Linux (platform)
  • Microsoft Exchange (platform)
  • Microsoft Exchange Server (platform)
  • Windows (platform)
  • 08331f33d196ced23bb568689c950b39ff7734b7461d9501c404e2b1dc298cc1 (sha256)
  • 6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3 (sha256)
  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf (sha256)
  • 7Zip (tool)
  • AnyDesk (tool)
  • CDB.exe (tool)
  • Certutil (tool)
  • Diskshadow.exe (tool)
  • ProxyLogon (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed