Pulse Detail — Threat Intelligence

PULSE NAME

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

WHITE SHADOW-EARTH-053 AlienVault 2026-04-30 Modified: 2026-05-29

IOCs

HIGH VOLUME

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1053.005 T1560.001 T1047 T1003.002 T1087.002 T1190 T1021.002 T1505.003 T1021.006 T1003.001 T1041 T1078 T1027 T1114.002 T1071.001 T1018 T1574.002 T1003.006 T1090.001

MALWARE FAMILIES

GODZILLA ShadowPad - S0596 POISONPLUG.SHADOW NOODLERAT RingQ IOX VShell

Indicators of Compromise (24 / 94 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 domain hostname CVE

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	128f3ad395f86be6569ef2a957d42902a910de6c	—	2026-04-30
FileHash-SHA1	211e1fc502152ea272edb5a81a5b4405a28c48f9	—	2026-04-30
FileHash-SHA1	2dc1ad07b7529af3ba5c11a58519681909971a81	—	2026-04-30
FileHash-SHA1	2dd614427b80cdd38e8bbe0ace24a484671c0da2	—	2026-04-30
FileHash-SHA1	31b3dd9ee46805b0ed6e6dd6a5ee17facadfd2ff	—	2026-04-30
FileHash-SHA1	3229ba46dd54802093c81e6e2123fd1520faf960	—	2026-04-30
FileHash-SHA1	35cc0b684b0906aed9d672a1a8635510fe91aa67	—	2026-04-30
FileHash-SHA1	36061be6ccd17e87e3d1ef15f8e7058f279439d1	—	2026-04-30
FileHash-SHA1	3f858c007d4d49dd7fa260bcc786c34d4f78dbf5	—	2026-04-30
FileHash-SHA1	4541e55b70ca12ae4a79e38c0b4c31f067eb5cdc	—	2026-04-30
FileHash-SHA1	579bc9a640ac939b1f75eda852815f063cebd332	—	2026-04-30
FileHash-SHA1	824f13f758ce278f72a4aeaf1e15a703d5107dd7	—	2026-04-30
FileHash-SHA1	861a686461ad830b268977808ba56730616c7684	—	2026-04-30
FileHash-SHA1	8a5ac2682d70eacff7eb554e242227c82e2baa94	—	2026-04-30
FileHash-SHA1	9244cd99a27a8741a78e0b449cea063fdcfb0090	—	2026-04-30
FileHash-SHA1	95015643ecb3ba321b8cff8eca2907e5356e8659	—	2026-04-30
FileHash-SHA1	9a83466f6c34e588ba3e99d6cbfac0102e173cdd	—	2026-04-30
FileHash-SHA1	ac7ffce58c70fb9f837e11a44d655d6c28e276f5	—	2026-04-30
FileHash-SHA1	b8d586d376b342b08b3dd8a77c788480e025ad12	—	2026-04-30
FileHash-SHA1	e1bcf36ed2f7a60dd0dde52abf11c942e2657e31	—	2026-04-30
FileHash-SHA1	ebfd92291714e6d7e57cf4830aa8f87950b796bb	—	2026-04-30
FileHash-SHA1	ec38a56f9368eac67106a4ad61538e12053f03d1	—	2026-04-30
FileHash-SHA1	82eb4b752c60b99b451f7a53b8ac856afe9deb88	—	2026-04-30
FileHash-SHA1	c2870caa5f016822fdaf16e3c470f96eefd4b93f	—	2026-04-30

References (1)

↗ https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html