The N-Day Nightmare: How SHADOW-EARTH-053 Breaches Governments Using “Old” Exploits
Ddos 
SHADOW-EARTH-053 and SHADOW-EARTH-054 targets | Image: TrendMicro
TrendAI Research has identified a persistent and methodical China-aligned threat cluster targeting government entities and critical infrastructure across South, East, and Southeast Asia, as well as a European NATO member state. Currently tracked under the provisional designation SHADOW-EARTH-053, this group has been operational since at least December 2024, focusing its efforts on cyberespionage and intellectual property theft.
The group’s footprint is vast, spanning at least eight countries—including Pakistan, Thailand, Malaysia, India, and Taiwan—and specifically targeting government ministries and IT consulting firms with sensitive defense contracts.
One of the most striking findings of the report is the group’s continued success in exploiting long-patched vulnerabilities. SHADOW-EARTH-053 relies heavily on “N-day” server-side flaws to establish its initial foothold, most notably the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) targeting Microsoft Exchange Server.
As the TrendAI report highlights, “SHADOW-EARTH-053’s successful exploitation of these long-patched issues confirms that organizations still running legacy or unpatched Exchange servers remain at significant risk of mailbox compromise, credential theft, and prolonged attacker access”.
Once a server is compromised, the group deploys GODZILLA web shells for persistent access. This access is then used to stage ShadowPad implants—a modular malware family widely used by China-aligned actors since 2017—via DLL sideloading of legitimate, signed executables.
The group utilizes a sophisticated “registry loader” technique for stealth:
- Sideloading: They abuse legitimate executables like the Toshiba Bluetooth Stack to load malicious DLLs.
- Registry Extraction: The malware retrieves its payload from machine-specific registry keys rather than embedding it in the binary.
- Callback Injection: The shellcode is executed via the legitimate EnumDesktopsA Windows API function to bypass security monitoring.
Interestingly, nearly half of the group’s targets were also compromised by a related intrusion set, SHADOW-EARTH-054. While these groups share identical post-compromise tools—such as the Evil-CreateDump credential extractor and IOX Proxy—evidence suggests “independent exploitation of the same vulnerabilities rather than direct operational coordination”.
To maintain communication, SHADOW-EARTH-053 employs a layered approach with redundant tunneling tools like GOST (GO Simple Tunnel) and Wstunnel, often staging them in publicly writable directories like C:\Users\Public.
The activities of SHADOW-EARTH-053 serve as a stark reminder that high-profile espionage does not always require “zero-day” exploits. By failing to patch years-old vulnerabilities, critical organizations are essentially leaving their back doors unlocked for strategic actors.
TrendAI Research urges organizations to audit their internet-facing Exchange and IIS infrastructure immediately. Scrutinizing outbound traffic from web servers and reviewing web shell detection capabilities are essential first steps in identifying potential exposure to this regional threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
