Key Insights on SHADOW-AETHER-015 and Earth Preta from the 2025 MITRE ATT&CK Evaluation with Trend Vision One™

Key takeaways:

• The MITRE ATT&CK Evaluation Round 7 (ER7 2025) validates the progress made by Trend Vision One™ toward a unified security operations platform. This blog discusses further the results of TrendAI™ in ER7.
• Scenario 1 (Demeter), an emulation inspired by SHADOW-AETHER-015 shows the complexity of modern cloud attacks, where adversaries can pivot from compromised endpoints to cloud infrastructure, leveraging stolen credentials and tokens to establish persistence, move laterally across hybrid environments, and exfiltrate sensitive data at scale.
• Meanwhile, scenario 2 (Hermes), the emulation inspired by Earth Preta, highlights the sophistication of phishing-based attacks, emphasizing the use of advanced loaders, anti-analysis techniques, lateral movement, credential harvesting, and data exfiltration, followed by meticulous cleanup to reduce forensic traces and hinder detection.
• TrendAI’s results in the MITRE ATT&CK ER7 align strongly with the current need for platforms to automatically correlate telemetry into meaningful alerts across hybrid environments. Trend Vision One™ detects and blocks the IoCs related to the threat actors mentioned in this blog. TrendAI customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against these threat actor groups.

This blog examines notable modern techniques, tactics, and procedures (TTPs) that Trend Research™ has observed in the two emulations during the MITRE ATT&CK Evaluation Round 7 (ER7 2025) that featured Earth Preta (also known as Mustang Panda), and SHADOW-AETHER-015 (Trend Research’s intrusion name for a particular group of activities with modern TTPs characterized by AI-generated attacks, sophisticated phishing attacks, and/or social engineering). These observed, analyzed, and reported TTPs support the performance of Trend Vision One™ in ER7, reinforcing the position of TrendAI™ as a trusted leader in detection and response innovation. 

The ER7 marked a significant evolution in MITRE’s approach where, it now includes both on-premises and cloud-based attacks, as well as the Reconnaissance tactic. This not only simulates hybrid environments that real SOC teams defend against today but also highlights the necessity for SOC teams to rely on effective enterprise tools. Trend Vision One’s results in ER7 reinforces TrendAI’s position as a trusted leader in detection and response innovation. Enterprises can rely on the platform for up to date, and up to standard analytic coverage across all major attack steps, protection across all evaluated attack opportunities, and cloud layer coverage, including both detection and protection. 

MITRE scenario 1 (Demeter)   In this emulation, cloud (AWS) scenarios highlighted how attackers can pivot from an endpoint into the cloud where the intrusion begins by phishing an unmanaged workstation using an adversary-in-the-middle SSO kit to steal high-privilege credentials and MFA tokens. This enables RDP access, internal discovery, Active Directory enumeration, and reconnaissance of shared network resources. 

The attacker then pivots to AWS, enumerating IAM, S3, VPCs, and costs while evading defenses, establishing persistence through a new admin IAM user and a privileged EC2 instance. This allows them to harvest secrets and tokens, moving laterally across Linux and Windows systems using tunnelling and RMM tools. 

The attack concludes with large-scale data collection and exfiltration, syncing application and file-share data from internal systems to attacker-controlled S3 buckets. 

This section provides a high-level summary of how Scenario 1 (Demeter) unfolds, highlighting the core execution flow, infrastructure interactions, and progression of the attack chain from initial access through cleanup. 

For a detailed, step-by-step breakdown of the scenario that includes emulation context, tooling, and attack objectives, refer to MITRE’s official CTI emulation documentation.

More information that enterprises should know about SHADOW-AETHER-015

Scenario 1 is inspired by observed TTPs from SHADOW-AETHER-015, a highly adaptable and aggressive cybercriminal group known for fluent English-language social engineering, particularly vishing and help-desk impersonation, which allows operators to blend effectively into corporate support environments.

Their activity is characterized by identity abuse, and cloud compromise. The group is also known to use multi-pressure extortion: high-value data theft, leak threats, ransomware, cloud/VMware disruption, and employee intimidation. SHADOW-AETHER-015 primarily targets identity and access management systems such as Okta and Azure AD/Entra ID, abusing social engineering, MFA fatigue, token theft, and adversary-in-the-middle phishing to bypass authentication controls. After gaining identity access, the threat actors leverage legitimate credentials with IAM misuse and configuration abuse to move laterally across SaaS and cloud environments, including AWS, Azure, and Google Workspace. 

Activities linked to the group initially focused on SIM-swapping and telecommunications fraud, but has since evolved to target cloud, SaaS, and enterprise environments for data theft and, in some cases, ransomware deployment. The group diversifies monetization through cryptocurrency theft, account-takeover resale, long-term cloud persistence, partnerships with multiple RaaS groups, and selling large customer datasets. 

SHADOW-AETHER-015 is a group focused on high-value, high-leverage intrusions, and have been observed to consistently pursue enterprises with massive data, complex IT operations, and low tolerance for downtime. Their list of victims suggest that the group prioritizes sectors rich in credit-card data, travel records, healthcare and loyalty information. 

The group’s operations have affected telecommunications and business process outsourcing (BPO) providers. The group has also compromised tech SaaS and identity platforms to obtain privileged access into enterprise environments, alongside notable intrusions in hospitality and gaming organizations. Additional targets include finance and insurance firms, aviation and travel operators, and managed service provider (MSP) and IT companies.

SHADOW-AETHER-015 has been observed to be most active in English-speaking countries such as the US, UK, Canada, and Australia, with additional victim presence in India, Singapore, Thailand, and Brazil. 

The earliest structured campaigns linked to the group occurred in from March to July 2022 under the “0ktapus” phishing campaign, but it should be noted that some SIM-swapping activity that could be potentially linked to early SHADOW-AETHER-015 operators predates this. 

The group’s progression shows rapid improvement in both technical sophistication and operational ambition as shown in figure 1. 

Read More HERE