OTX Bot5d ago

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
(in)sicurezza digitaleMay 2

SHADOW-EARTH-053: la campagna APT cinese che spia governi asiatici, la NATO e i diplomatici cubani

Trend Micro ha smascherato SHADOW-EARTH-053, un gruppo APT allineato alla Cina attivo dal dicembre 2024 che ha colpito governi e contractor difesa in Pakistan, India, Malaysia, Taiwan e Polonia. In parallelo, un'operazione correlata ha violato le email di 68 diplomatici cubani a Washington sfruttando Exchange non patchati. Analisi tecnica di ShadowPad, Godzilla webshell, CVE-2025-55182 e delle implicazioni per i difensori.

https://insicurezzadigitale.com/shadow-earth-053-la-campagna-apt-cinese-che-spia-governi-asiatici-la-nato-e-i-diplomatici-cubani/

Analyst207May 1

China-Linked Hackers Expose Wide-Ranging Espionage Campaign

Meet SHADOW-EARTH-053, a China-aligned espionage group that's been secretly lurking in the shadows since December 2024, using clever tactics like exploiting vulnerabilities and deploying web shells to gain persistent access to sensitive targets. Their sophisticated attacks have been linked to other notorious intrusion sets, revealing a…

https://osintsights.com/china-linked-hackers-expose-wide-ranging-espionage-campaign?utm_source=mastodon&utm_medium=social

#ChinalinkedHackers #EspionageCampaign #Proxylogon #Godzilla #Shadowpad

China-Linked Hackers Expose Wide-Ranging Espionage Campaign

China-linked hackers expose espionage campaign via Microsoft Exchange vulnerabilities, learn how to protect your network now and prevent similar attacks.

OSINTSights
PressMind LabsFeb 6

DKnife – nowy cyberzagrożenie w routerach zmienia zasady bezpieczeństwa sieci

Czy Twój router to tylko nudne pudełko do Wi-Fi? DKnife pokazuje, że to może być idealna budka podsłuchowa – tuż przy drzwiach Twojej sieci.

Czytaj dalej:
https://pressmind.org/dknife-nowy-cyberzagrozenie-w-routerach-zmienia-zasady-bezpieczenstwa-sieci/

#PressMindLabs #aitm #darknimbus #dknife #routery #shadowpad

Daniel Kuhl ✌🏻☮️☕️Dec 24

#CheckPoint Research revealed a sophisticated wave of attacks attributed to the Chinese #threat actor #InkDragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised #IIS servers into relay nodes with #ShadowPad, exploits predictable configuration keys for access, and deploys a new #FinalDraft #backdoor for exfiltration and lateral movement.

https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

Ink Dragon's Relay Network and Stealthy Offensive Operation

Key Findings Introduction Check Point Research tracks a sustained, highly capable espionage cluster, which we refer to as Ink Dragon, and is referenced in other reports as CL-STA-0049, Earth Alux, or REF7707. This cluster is assessed by several vendors to be PRC-aligned. Since at least early 2023, Ink Dragon has repeatedly targeted government, telecom, and […]

Check Point Research
The Threat CodexDec 16
Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
#InkDragon #ShadowPad #CDBLoader #LalsDumper #FINALDRAFT
https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/
Ink Dragon's Relay Network and Stealthy Offensive Operation

Key Findings Introduction Check Point Research tracks a sustained, highly capable espionage cluster, which we refer to as Ink Dragon, and is referenced in other reports as CL-STA-0049, Earth Alux, or REF7707. This cluster is assessed by several vendors to be PRC-aligned. Since at least early 2023, Ink Dragon has repeatedly targeted government, telecom, and […]

Check Point Research
CyberNetsecIONov 24

📰 ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

🔥 CRITICAL: Chinese APTs are actively exploiting a WSUS RCE vulnerability (CVE-2025-59287) to deploy the ShadowPad backdoor. Attackers gain SYSTEM access for espionage. Patching is urgent! #ThreatIntel #CVE #ShadowPad #CyberAttack

🔗 https://cyber.netsecops.io/articles/shadowpad-backdoor-deployed-exploiting-windows-server-vulnerability/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

Chinese state-sponsored APTs are actively exploiting a critical RCE vulnerability (CVE-2025-59287) in Microsoft WSUS to deploy the ShadowPad backdoor for espionage. Patching is critical.

CyberNetSec.io
The Threat CodexNov 24
Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
#CVE_2025_59287 #ShadowPad
https://asec.ahnlab.com/en/91166/
Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) - ASEC

Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) ASEC

ASEC
securityaffairsNov 24
Attackers deliver #ShadowPad via newly patched #WSUS RCE bug
https://securityaffairs.com/185007/malware/attackers-deliver-shadowpad-via-newly-patched-wsus-rce-bug.html
#securityaffairs #hacking #malware
Attackers deliver ShadowPad via newly patched WSUS RCE bug

Attackers exploited a patched WSUS flaw (CVE-2025-59287) to gain access, use PowerCat for a shell, and deploy the ShadowPad malware.

Security Affairs
TechNaduNov 24

Threat actors are actively exploiting CVE-2025-59287 in WSUS to deploy ShadowPad.

ASEC notes the attackers used PowerCat for shell access, then fetched and installed ShadowPad with certutil/curl, executing it through DLL side-loading.

How are you securing WSUS or other update infrastructure in your environment?
💬 Share your insights
⭐ Follow TechNadu for timely threat intel

#infosec #WSUS #ShadowPad #CVE2025 #malware #threatintel #sysadmin #DFIR #TechNadu