Shadow-Earth-053: China-Aligned Espionage Group Targets Asian Government and Defense Networks

Trend Micro has published a detailed report on Shadow-Earth-053, a China-aligned cyberespionage campaign that has been systematically targeting government and defense organizations across Asia. The group exploits unpatched Microsoft Exchange vulnerabilities to gain initial access, then deploys a sophisticated arsenal of custom backdoors, tunneling tools, and credential theft utilities to maintain persistent access and exfiltrate sensitive intelligence from high-value networks.

The campaign's initial access vector relies on known Microsoft Exchange flaws, including CVE-2025-55182 (dubbed React2Shell), which allows remote code execution on unpatched servers. Once inside, the attackers deploy a multistage loader that abuses DLL sideloading via a legitimate Toshiba Bluetooth Stack executable renamed to CIATosBtKbd.exe. The malicious DLL retrieves shellcode from a machine-specific registry key under HKEY_CURRENT_USER\Software\ComputerName, then executes it via callback injection using the legitimate Windows API function EnumDesktopsA, a technique that evades many security monitoring systems.

Persistence is maintained through a scheduled task named M1onltor, configured to run the sideloaded binary every five minutes with highest privileges. The group also deploys a secondary executable, mdync.exe, which establishes beaconing connections to the IP address 141.164.46.77. Trend Micro observed that this tool was dropped by the sideloaded DLL TosBtKbd.dll, indicating a layered infection chain designed to ensure redundancy and resilience against detection.

Lateral movement is achieved through multiple techniques. The attackers create local accounts and set the LocalAccountTokenFilterPolicy registry value to 1, granting full administrative privileges to remote connections from all local administrators. They also abuse Windows Management Instrumentation Command-line (WMIC) to install backdoors on additional hosts, and deploy a custom RDP launcher (smss.exe) along with a C# implementation of SMBExec known as Sharp-SMBExec. Web shells are propagated to internal Exchange servers by copying them over administrative shares, enabling rapid expansion across the Exchange infrastructure.

To maintain covert communication channels, Shadow-Earth-053 deploys multiple tunneling tools, including GOST (GO Simple Tunnel) and Wstunnel, both configured to tunnel SOCKS5 traffic over HTTPS to the same command-and-control IP address 96.9.125.227. The group also uses the IOX proxy tool and renames tunnel-core.exe to code.exe to evade detection. All tools are staged in C:\Users\Public, consistent with the group's known preference for publicly writable directories. This layered approach ensures persistent outbound connectivity even if individual tools are blocked.

The group's arsenal includes the ShadowPad backdoor and NOODLERAT ELF samples, which were retrieved from the IP address 194.38.11.3. The NOODLERAT samples use the domain check.office365-update.com as C&C, registered on November 19, 2025, matching registration patterns for other Shadow-Earth-053 domains. Trend Micro attributes these samples to the group with low confidence, noting that NOODLERAT is shared among multiple espionage and cybercrime groups. The intrusion set also uses domain names that impersonate legitimate products and security solution companies to appear trustworthy.

Credential theft is a key objective, achieved through the Evil-CreateDump tool, which is based on Microsoft's create-dump.exe utility. The group also renames legitimate Windows system binaries to evade process-based detection, using randomized filenames with a $RANDOM.log naming pattern. Trend Micro's findings underscore the persistent threat posed by China-aligned espionage groups to critical infrastructure and government networks in Asia, highlighting the importance of patching Exchange servers and implementing robust detection for DLL sideloading and tunneling tool deployments.