{ "type": "SHA256", "indicator": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed", "validation": [], "base_indicator": { "id": 4336935422, "indicator": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "39 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "39 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "related": { "alienvault": { "adversary": [ "SHADOW-EARTH-053" ], "malware_families": [ "Poisonplug.shadow", "Vshell", "Shadowpad - s0596", "Iox", "Godzilla", "Noodlerat", "Ringq" ], "industries": [ "Defense", "Government", "Transportation", "Technology" ] }, "other": { "adversary": [ "SHADOW-EARTH-053" ], "malware_families": [ "Poisonplug.shadow", "Vshell", "Shadowpad - s0596", "Iox", "Godzilla", "Noodlerat", "Ringq" ], "industries": [ "Defense", "Government", "Transportation", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "39 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "39 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170005.497323 }