Novel Chinese Threat Group Shadow-Earth-053 Infiltrates Critical Networks in Poland and Asia
TrendAI researchers have identified a new China-linked threat group, Shadow-Earth-053, that has compromised over a dozen critical networks across Poland and multiple Asian countries since December 2024, exploiting years-old Microsoft Exchange Server vulnerabilities.
A novel China-linked threat group has infiltrated more than a dozen critical networks in Poland, Asia, and possibly beyond, according to a report shared exclusively with The Register by TrendAI researchers. The group, tracked as Shadow-Earth-053, has been active since December 2024, with intrusions uncovered as recently as this month. Targets include government agencies, defense contractors, technology firms, and the transportation industry across at least eight countries, with victims in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland.
The group typically gains initial access by exploiting vulnerable Microsoft Exchange Servers, particularly the years-old ProxyLogon vulnerability (CVE-2021-26855) chained with related bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution. This same vulnerability was abused by the Chinese state-sponsored group Salt Typhoon to breach critical US networks in 2021 and remains a top-exploited flaw. After compromising a server, Shadow-Earth-053 installs web shells—Godzilla is a commonly used one—and then deploys the ShadowPad backdoor, a custom tool used by China's APT41 for nearly a decade and shared among multiple China-aligned groups since 2019.
In multiple intrusions, the attackers compromised victim organizations up to eight months before deploying ShadowPad. In one instance, they delivered ShadowPad via the legitimate remote desktop tool AnyDesk, suggesting either a prior compromise or stolen credentials. In another case, they deployed Linux NoodleRat backdoors after exploiting React2Shell (CVE-2025-55182), a critical flaw in React Server Components. The group also uses RingQ, an open-source tool from China that packs malicious binaries to evade detection, and renames legitimate Windows system binaries to bypass process-based monitoring.
About half of the victims were also compromised by a related group, Shadow-Earth-054, which exploited the same vulnerabilities and shared identical tool hashes and overlapping techniques. Shadow-Earth-054 has network overlaps with Chinese crews tracked as CL-STA-0049 by Palo Alto Networks' Unit 42, REF7707 by Elastic Security Labs, and Earth Alux. Tom Kellermann, TrendAI VP of AI security and threat research, likened the new groups to Salt Typhoon and Volt Typhoon, which conducted stealthy, long-term access to critical networks for espionage and potential destructive attacks.
Kellermann expressed concern about what the intruders may have left behind, including command-and-control infrastructure on a sleep cycle that could be activated later. He suggested the timing of the intrusions may be linked to geopolitical tensions, specifically the upcoming summit between US President Trump and Chinese President Xi scheduled for May 14-15. "Volt essentially had unrequited access to critical infrastructures, energy sector, etc., and it was all for the purposes of ongoing espionage, but most importantly, maintaining sabotage capability, like destructive attacks, should geopolitical tension exacerbate," Kellermann said.
The discovery highlights the persistent risk posed by unpatched Exchange Server vulnerabilities, which continue to be exploited years after patches were released. Organizations are urged to apply available patches for ProxyLogon and other Exchange Server bugs, as well as React2Shell, to mitigate the risk of compromise. The use of legitimate tools like AnyDesk and renamed Windows binaries underscores the challenge of detecting such intrusions, which blend in with normal network activity.