Back

Chinese Spy Group Shadow-Earth-053 Targets Critical Networks in Poland and Asia

Severity: High (Score: 75.0)

Sources: www.trendmicro.com, Theregister, www.elastic.co

Summary

A new China-linked threat group, Shadow-Earth-053, has infiltrated over a dozen critical networks in Poland and several Asian countries since December 2024. Their primary attack vector involves exploiting vulnerabilities in Microsoft Exchange Servers. The group has been linked to the deployment of ShadowPad, a custom backdoor associated with China's APT41. Half of the compromised organizations were also affected by a related group, Shadow-Earth-054, which shares similar techniques and tool hashes. The victims include government agencies, defense contractors, technology firms, and the transportation sector across at least eight countries, including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. TrendAI researchers express concern about the lingering command and control (C2) infrastructure that may still be present in these environments. The group appears to be strategically targeting nations aligned with the US and supportive of Taiwan's independence. The activity was uncovered recently, indicating ongoing threats to critical infrastructure. Key Points: • Shadow-Earth-053 has infiltrated critical networks in Poland and Asia since December 2024. • The group exploits vulnerabilities in Microsoft Exchange Servers to gain initial access. • Half of the victims were also compromised by a related group, Shadow-Earth-054.

Key Entities

  • APT41 (apt_group)
  • Earth Alux (apt_group)
  • Salt Typhoon (apt_group)
  • Shadow-Earth-053 (apt_group)
  • Shadow-Earth-054 (apt_group)
  • Malware (attack_type)
  • Ref7707 (campaign)
  • Brazil (country)
  • India (country)
  • Malaysia (country)
  • Myanmar (country)
  • Pakistan (country)
  • CVE-2021-26855 (cve)
  • CVE-2021-26857 (cve)
  • CVE-2021-26858 (cve)
  • CVE-2021-27065 (cve)
  • CVE-2025-55182 (cve)
  • Defense (industry)
  • Government (industry)
  • Technology (industry)
  • Telecommunications (industry)
  • Transportation (industry)
  • 47.83.8.198 (ipv4)
  • FinalDraft (malware)
  • GodZilla (malware)
  • Guidloader (malware)
  • NoodleRat (malware)
  • Pathloader (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.002 - SMB/Windows Admin Shares (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1047 - Windows Management Instrumentation (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • Linux (platform)
  • Microsoft Exchange Server (platform)
  • Windows (platform)
  • 08331f33d196ced23bb568689c950b39ff7734b7461d9501c404e2b1dc298cc1 (sha256)
  • 6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3 (sha256)
  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf (sha256)
  • 7Zip (tool)
  • AnyDesk (tool)
  • CDB.exe (tool)
  • Certutil (tool)
  • Diskshadow.exe (tool)
  • ProxyLogon (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed