Mastodawn

SHADOW-EARTH-053: la campagna APT cinese che spia governi asiatici, la NATO e i diplomatici cubani

Trend Micro ha smascherato SHADOW-EARTH-053, un gruppo APT allineato alla Cina attivo dal dicembre 2024 che ha colpito governi e contractor difesa in Pakistan, India, Malaysia, Taiwan e Polonia. In parallelo, un'operazione correlata ha violato le email di 68 diplomatici cubani a Washington sfruttando Exchange non patchati. Analisi tecnica di ShadowPad, Godzilla webshell, CVE-2025-55182 e delle implicazioni per i difensori.

https://insicurezzadigitale.com/shadow-earth-053-la-campagna-apt-cinese-che-spia-governi-asiatici-la-nato-e-i-diplomatici-cubani/

Analyst207 May 1

China-Linked Hackers Expose Wide-Ranging Espionage Campaign

Meet SHADOW-EARTH-053, a China-aligned espionage group that's been secretly lurking in the shadows since December 2024, using clever tactics like exploiting vulnerabilities and deploying web shells to gain persistent access to sensitive targets. Their sophisticated attacks have been linked to other notorious intrusion sets, revealing a…

https://osintsights.com/china-linked-hackers-expose-wide-ranging-espionage-campaign?utm_source=mastodon&utm_medium=social

#ChinalinkedHackers #EspionageCampaign #Proxylogon #Godzilla #Shadowpad

China-Linked Hackers Expose Wide-Ranging Espionage Campaign

China-linked hackers expose espionage campaign via Microsoft Exchange vulnerabilities, learn how to protect your network now and prevent similar attacks.

OSINTSights

PressMind Labs Feb 6

DKnife – nowy cyberzagrożenie w routerach zmienia zasady bezpieczeństwa sieci

Czy Twój router to tylko nudne pudełko do Wi-Fi? DKnife pokazuje, że to może być idealna budka podsłuchowa – tuż przy drzwiach Twojej sieci.

Czytaj dalej:
https://pressmind.org/dknife-nowy-cyberzagrozenie-w-routerach-zmienia-zasady-bezpieczenstwa-sieci/

#PressMindLabs #aitm #darknimbus #dknife #routery #shadowpad

Daniel Kuhl ✌🏻☮️☕️Dec 24

#CheckPoint Research revealed a sophisticated wave of attacks attributed to the Chinese #threat actor #InkDragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised #IIS servers into relay nodes with #ShadowPad, exploits predictable configuration keys for access, and deploys a new #FinalDraft #backdoor for exfiltration and lateral movement.

https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

Ink Dragon's Relay Network and Stealthy Offensive Operation

Key Findings Introduction Check Point Research tracks a sustained, highly capable espionage cluster, which we refer to as Ink Dragon, and is referenced in other reports as CL-STA-0049, Earth Alux, or REF7707. This cluster is assessed by several vendors to be PRC-aligned. Since at least early 2023, Ink Dragon has repeatedly targeted government, telecom, and […]

Check Point Research

The Threat Codex Dec 16

Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
#InkDragon #ShadowPad #CDBLoader #LalsDumper #FINALDRAFT
https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

Ink Dragon's Relay Network and Stealthy Offensive Operation

Check Point Research

CyberNetsecIO Nov 24, 2025

📰 ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

🔥 CRITICAL: Chinese APTs are actively exploiting a WSUS RCE vulnerability (CVE-2025-59287) to deploy the ShadowPad backdoor. Attackers gain SYSTEM access for espionage. Patching is urgent! #ThreatIntel #CVE #ShadowPad #CyberAttack

🔗 https://cyber.netsecops.io/articles/shadowpad-backdoor-deployed-exploiting-windows-server-vulnerability/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

Chinese state-sponsored APTs are actively exploiting a critical RCE vulnerability (CVE-2025-59287) in Microsoft WSUS to deploy the ShadowPad backdoor for espionage. Patching is critical.

CyberNetSec.io

The Threat Codex Nov 24, 2025

Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
#CVE_2025_59287 #ShadowPad
https://asec.ahnlab.com/en/91166/

Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) - ASEC

Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) ASEC

ASEC

securityaffairs Nov 24, 2025

Attackers deliver #ShadowPad via newly patched #WSUS RCE bug
https://securityaffairs.com/185007/malware/attackers-deliver-shadowpad-via-newly-patched-wsus-rce-bug.html
#securityaffairs #hacking #malware

Attackers deliver ShadowPad via newly patched WSUS RCE bug

Attackers exploited a patched WSUS flaw (CVE-2025-59287) to gain access, use PowerCat for a shell, and deploy the ShadowPad malware.

Security Affairs

TechNadu Nov 24, 2025

Threat actors are actively exploiting CVE-2025-59287 in WSUS to deploy ShadowPad.

ASEC notes the attackers used PowerCat for shell access, then fetched and installed ShadowPad with certutil/curl, executing it through DLL side-loading.

How are you securing WSUS or other update infrastructure in your environment?
💬 Share your insights
⭐ Follow TechNadu for timely threat intel

#infosec #WSUS #ShadowPad #CVE2025 #malware #threatintel #sysadmin #DFIR #TechNadu