Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

^{Table 1. Legitimate executables vulnerable to DLL sideloading abused by SHADOW‑EARTH‑053}

SHADOW-EARTH-053 uses a legitimate Toshiba Bluetooth Stack executable, renamed to CIATosBtKbd.exe, to sideload a malicious DLL (TosBtKbd.dll). This loader employs a multistage evasion technique by retrieving its payload from the Windows Registry rather than embedding it within the binary. Upon execution, the loader calls GetComputerNameA to identify the host and access a machine-specific registry key at HKEY_CURRENT_USER\Software\[ComputerName]. From here, it retrieves a binary value named scode, which contains the shellcode payload.

The malware then allocates memory using VirtualAlloc (configured with PAGE_EXECUTE_READWRITE permissions) and executes the shellcode via callback injection. By passing the shellcode’s address as a callback parameter to the legitimate Windows API function EnumDesktopsA, the malware tricks the operating system into executing the malicious code during standard desktop enumeration. This method avoids direct execution calls that often trigger security monitoring systems. Persistence was achieved via a Scheduled Task named M1onltor, configured to run the sideloaded binary every five minutes with the highest privileges. Note that the specific shellcode payload could not be retrieved for analysis.

In several attacks, an executable named mdync.exe” was deployed on the victim’s network. Although the file could not be retrieved for static analysis, endpoint telemetry reveals that the executable established beaconing connections to 141[.]164[.]46[.]77.  We observed that this tool was dropped by the side-loaded DLL TosBtKbd.dll.

We observed the group leveraging the IOX proxy by creating local accounts and setting the LocalAccountTokenFilterPolicy value to 1. This configuration grants full administrative privileges to remote connections from all local administrators (and not just the built-in RID 500 account), enabling lateral movement via Pass-the-Hash.

Beyond IOX, we observed SHADOW-EARTH-053 deploying multiple tunneling tools within a single environment, suggesting a layered approach to maintaining covert communication channels. These include:

• GOST (GO Simple Tunnel): An open-source tunnel written in Go, GOST was used to establish SOCKS5 proxies and WebSocket-based tunnels to external infrastructure. The attacker configured both local SOCKS5 listeners and relay-based reverse tunnels to the IP address 96[.]9[.]125[.]227.
• Wstunnel: Another open-source tunneling tool deployed as wt.exe, Wstunnel was configured to tunnel SOCKS5 traffic over HTTPS to the same command-and-control (C&C) IP address.

We also saw the threat actor rename a tool from tunnel-core.exe to code.exe and pass a single parameter (client.toml) to it. We observed communications to the IP address 96[.]9[.]125[.]227 on port 8067, however the tool itself was not available for further inspection.

The deployment of multiple tunneling tools to the same C&C address suggests operational redundancy, ensuring persistent outbound connectivity even if individual tools are detected and blocked. All tools were staged in C:\Users\Public, consistent with the group’s known preference for publicly writable staging directories.

In mid-December 2025, SHADOW-EARTH-053 retrieved one ShadowPad sample from the IP address 194[.]38[.]11[.]3 listening on port 1790. Sandbox telemetry showed Linux samples being retrieved from the same IP and port in early December. These samples were NOODLERAT ELF files, a malware family that is shared among multiple groups performing espionage or cybercrime, and which we have extensively covered in previous blog entries.

The NOODLERAT samples used the domain check[.]office365-update[.]com as C&C, which was registered on November 19, 2025. This domain name matches registration patterns found for other recent domain names belonging to SHADOW-EARTH-053. For these reasons, and following our threat attribution framework, we attribute these samples to SHADOW-EARTH-053 with low confidence.  These samples were also observed by multiple vendors as part of the active exploitation of CVE-2025-55182 (React2Shell).

RingQ

In one targeted environment, we detected a sample of RingQ, which is an open-source tool of Chinese origin available on GitHub that is designed to pack malicious binaries in order to evade detection by security solutions.

The intrusion set also uses domain names that impersonate products, security solution companies, or are related to the DNS protocol, likely to make them appear legitimate.

We also observed the group renaming legitimate Windows system binaries to evade process-based detection. In one incident, net.exe was copied to C:\ProgramData with randomized filenames using a $[RANDOM].log naming pattern (e.g., $D5PLAA1.log, $9XF5WLD.log). PowerShell binaries were similarly disguised (e.g., $C06KCQ2.log, $VMB9AIT.log, $6T8BLJP.log). This technique targets security solutions that rely on process name matching rather than binary hash verification.

SHADOW-EARTH-053 uses Windows Management Instrumentation Command-line (WMIC) for lateral movement, installing backdoors and tools onto additional hosts. We also observed the group deploying a suspected custom remote desktop protocol (RDP) launcher (under the name smss.exe) and a C# implementation of SMBExec known as Sharp-SMBExec.

In one environment, the group propagated web shells to additional internal Exchange servers by copying them over administrative shares (e.g., copy charcode.aspx \\[IP]\c$\inetpub\wwwroot\aspnet_client\system_web\). This technique allows rapid expansion across the Exchange infrastructure without deploying additional tooling, leveraging existing administrative credentials and the compromised web shell as an execution platform.

The group collects credentials that can be used to further its objectives, notably through the use of the Evil-CreateDump tool.  The tool appears to be based on Microsoft’s create-dump.exe utility, likely modified to target LSASS process memory for credential extraction. 

Mimikatz was executed directly via rundll32.exe with command-line arguments for credential extraction (sekurlsa::logonpasswords) and local SAM database dumping (lsadump::sam). These commands were spawned by the IIS worker process (w3wp.exe), confirming execution through a web shell.

Additionally, we observed the group dropping and executing a binary called newdcsync, which, based on the command line and filename, was likely used for DCSync attacks.

We observed the attacker deploying the RAR executable, and in one instance, we saw the creation of a password-protected RAR archive containing messages (a PST file) from an executive in the targeted company.

In one specific case, SHADOW-EARTH-053 used its access to the victim’s Exchange server to install a snap-in for Exchange management.  The process revealed an iterative approach: initial attempts to enumerate mailboxes via Get-Mailbox failed, prompting the attacker to explicitly load the snap-in (Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn) and bypass execution policy. Subsequent iterations refined the technique further, switching from Get-Mailbox to Get-User for a broader scope, and adding fields such as userAccountControl and AccountDisabled to identify active high-value accounts. This progression from noisy initial attempts to more refined, stealthier commands was observed within a single session.

Additionally, the threat actor used a custom “ExchangeExport” tool to export  the mailbox content of high-profile users via the Exchange Web Services (EWS) API. Microsoft observed similar activity by Silk Typhoon (Hafnium). Unfortunately, the tool could not be retrieved for further analysis.

Our investigation indicates that this campaign has a distinct geographic focus, primarily targeting governmental entities, mostly in Asia. Most observed targets were concentrated in South, East, and Southeast Asia, particularly:

• Pakistan
• Thailand
• Malaysia
•  India
• Myanmar
• Sri Lanka
• Taiwan

Note that despite focusing on Asia, the threat actor’s footprint extended beyond this region, with at least one target in Poland. This distribution suggests a strategic interest in Asian geopolitical entities, while the global targets may indicate opportunistic exploitation or a broadening of the group’s scope.

Beyond the government sector, SHADOW-EARTH-053 also targeted the technology industry. In at least two countries, we observed the group focusing on IT consulting firms holding government contracts, particularly those that listed the Ministry of Defense as one of their customers.

Finally, we found limited number of victims within the transportation industry in Southeast Asia.

Our investigation revealed that multiple targets were compromised up to 8 months before the deployment of ShadowPad, using identical entry points. In these earlier instances, the attackers gained access via vulnerable IIS or Microsoft Exchange servers and subsequently deployed web shells to maintain persistence.

Three possible scenarios may explain the relationship between the groups:

• Independent exploitation: SHADOW-EARTH-053 independently exploited these servers by leveraging the same vulnerabilities previously used by SHADOW-EARTH-054. This scenario matches the “Type A” collaboration from our Premier Pass-as-a-Service model published last year. This involves the deployment of backdoors through web shells, exploitation of vulnerable public facing servers, and similar initial access techniques. In such cases, any observed coordination between intrusion sets is likely incidental rather than intentional.
• Asset repurposing: SHADOW-EARTH-053 simply repurposed the web shells left behind from the earlier intrusion by SHADOW-EARTH-054.
• Same group: SHADOW-EARTH-053 and SHADOW-EARTH-054 are a single group using multiple TTPs.

In three recent cases, a malicious loader family attributed to SHADOW-EARTH-054 was detected in organizations previously targeted by SHADOW-EARTH-054 and later by SHADOW-EARTH-053. The same vulnerabilities were exploited again to deliver this loader, with no apparent connection to previously deployed malware. This pattern reinforces our assessment of a Type A collaboration — independent exploitation of the same vulnerabilities, with no evidence of operational coordination between the two intrusion sets. It also renders the third scenario unlikely, as targeting an already-compromised organization using a different malware toolkit would be operationally inconsistent.

In addition to the similarities in initial breach vectors, we identified significant overlap in post-exploitation capabilities. Both groups utilized an identical toolkit, leveraging a mix of custom-developed malware and utilities:

• Evil-CreateDump
• IOX Proxy

Notably, our analysis confirmed that these artifacts shared identical file hashes, indicating the use of the exact same binaries rather than just similar software.

Notably, the following activity sequence was observed at the same endpoints:

1. Compromise with SHADOW-EARTH-054 malware (late 2024/early 2025).
2. Deployment of ShadowPad implants by SHADOW-EARTH-053 (mid-2025).
3. Re-exploitation by SHADOW-EARTH-054 (early 2026).

The following image shows the timeline of events:

Read More HERE