MITRE ATT&CK Evaluation 2025 Highlights SHADOW-AETHER-015 and Earth Preta TTPs
Trend Micro's analysis of the 2025 MITRE ATT&CK Evaluation reveals modern attack chains from SHADOW-AETHER-015 and Earth Preta, validated through TrendAI Vision One.
Trend Micro has released a detailed analysis of the 2025 MITRE ATT&CK Evaluation Round 7 (ER7), highlighting the tactics, techniques, and procedures (TTPs) of two advanced threat actors: SHADOW-AETHER-015 and Earth Preta (also known as Mustang Panda). The evaluation, which included both on-premises and cloud-based attack scenarios, demonstrated how these groups operate in hybrid environments, leveraging sophisticated social engineering, identity abuse, and cloud compromise.
Scenario 1, codenamed Demeter, emulated the activities of SHADOW-AETHER-015, a highly adaptable cybercriminal group known for fluent English-language vishing and help-desk impersonation. The attack chain began with a phishing campaign using an adversary-in-the-middle SSO kit to steal high-privilege credentials and MFA tokens. From there, the attackers gained RDP access, performed internal discovery, enumerated Active Directory, and pivoted to AWS cloud infrastructure. They established persistence through a new admin IAM user and a privileged EC2 instance, harvested secrets and tokens, and moved laterally across Linux and Windows systems using tunneling and RMM tools. The attack concluded with large-scale data exfiltration to attacker-controlled S3 buckets.
Scenario 2, codenamed Hermes, focused on Earth Preta, a state-sponsored group known for phishing-based attacks. This emulation highlighted the use of advanced loaders, anti-analysis techniques, lateral movement, credential harvesting, and data exfiltration, followed by meticulous cleanup to reduce forensic traces. Earth Preta's operations often target government and diplomatic entities in Asia, using spear-phishing emails with malicious attachments to gain initial access.
Trend Micro's TrendAI Vision One platform was used to detect and map these behaviors against the MITRE ATT&CK framework. The platform automatically correlated telemetry into meaningful alerts across hybrid environments, detecting and blocking indicators of compromise (IoCs) related to both threat actors. TrendAI customers can access tailored hunting queries, threat insights, and intelligence reports to proactively defend against these groups.
The ER7 marked a significant evolution in MITRE's approach, now including both on-premises and cloud-based attacks, as well as the Reconnaissance tactic. This simulates the hybrid environments that real SOC teams defend today, highlighting the need for effective enterprise tools. TrendAI Vision One's results in ER7 reinforce Trend Micro's position as a trusted leader in detection and response innovation, providing analytic coverage across all major attack steps and cloud layers.
SHADOW-AETHER-015 is characterized by identity abuse and cloud compromise, targeting identity and access management systems such as Okta and Azure AD/Entra ID. The group uses social engineering, MFA fatigue, token theft, and adversary-in-the-middle phishing to bypass authentication controls. After gaining identity access, they leverage legitimate credentials with IAM misuse and configuration abuse to move laterally across SaaS and cloud environments. Their operations have affected telecommunications, business process outsourcing (BPO), and other sectors rich in sensitive data.
Earth Preta, on the other hand, is a Chinese-linked APT group that has been active since at least 2012. They primarily target government, diplomatic, and technology organizations in Asia, using spear-phishing and custom malware. The MITRE evaluation provided a controlled environment to validate detection capabilities against their evolving TTPs, including the use of loaders like ShadowPad and Cobalt Strike.
Overall, the 2025 MITRE ATT&CK Evaluation underscores the growing complexity of modern cyber threats, particularly those that blend endpoint and cloud attacks. Trend Micro's analysis offers valuable insights for defenders, emphasizing the importance of unified security platforms that can automatically correlate telemetry and provide comprehensive coverage across hybrid environments.