{"id":60629,"date":"2026-04-30T00:00:00","date_gmt":"2026-04-30T00:00:00","guid":{"rendered":"urn:uuid:7d202be3-a35b-5b0d-d853-63fba7a1967a"},"modified":"2026-04-30T00:00:00","modified_gmt":"2026-04-30T00:00:00","slug":"inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/","title":{"rendered":"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/shadow-earth_976:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/shadow-earth_976.png\" class=\"ff-og-image-inserted\"><\/div>\n<p><sup>Table 1. Legitimate executables vulnerable to DLL sideloading abused by SHADOW\u2011EARTH\u2011053<\/sup><\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>SHADOW-EARTH-053 uses a legitimate Toshiba Bluetooth Stack executable, renamed to <i>CIATosBtKbd.exe<\/i>, to sideload a malicious DLL (<i>TosBtKbd.dll<\/i>). This loader employs a multistage evasion technique by retrieving its payload from the Windows Registry rather than embedding it within the binary. Upon execution, the loader calls <i>GetComputerNameA<\/i> to identify the host and access a machine-specific registry key at <i>HKEY_CURRENT_USER\\Software\\[ComputerName]<\/i>. From here, it retrieves a binary value named <i>scode<\/i>, which contains the shellcode payload.<\/p>\n<p>The malware then allocates memory using VirtualAlloc (configured with <i>PAGE_EXECUTE_READWRITE<\/i> permissions) and executes the shellcode via callback injection. By passing the shellcode\u2019s address as a callback parameter to the legitimate Windows API function <i>EnumDesktopsA<\/i>, the malware tricks the operating system into executing the malicious code during standard desktop enumeration. This method avoids direct execution calls that often trigger security monitoring systems. Persistence was achieved via a Scheduled Task named <i>M1onltor<\/i>, configured to run the sideloaded binary every five minutes with the highest privileges. Note that the specific shellcode payload could not be retrieved for analysis.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>In several attacks, an executable named <i>mdync.exe<\/i>&#8221; was deployed on the victim&#8217;s network. Although the file could not be retrieved for static analysis, endpoint telemetry reveals that the executable established beaconing connections to 141[.]164[.]46[.]77.&nbsp; We observed that this tool was dropped by the side-loaded DLL <b><i>TosBtKbd.dll<\/i>.<\/b><\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>We observed the group leveraging the <a href=\"https:\/\/github.com\/EddieIvan01\/iox\/\">IOX<\/a> proxy by creating local accounts and setting the <i>LocalAccountTokenFilterPolicy<\/i> value to 1. This configuration grants full administrative privileges to remote connections from all local administrators (and not just the built-in RID 500 account), enabling lateral movement via Pass-the-Hash.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Beyond IOX, we observed SHADOW-EARTH-053 deploying multiple tunneling tools within a single environment, suggesting a layered approach to maintaining covert communication channels. These include:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">GOST (GO Simple Tunnel): An open-source tunnel written in Go, GOST was used to establish SOCKS5 proxies and WebSocket-based tunnels to external infrastructure. The attacker configured both local SOCKS5 listeners and relay-based reverse tunnels to the IP address 96[.]9[.]125[.]227.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Wstunnel: Another open-source tunneling tool deployed as <i>wt.exe<\/i>, Wstunnel was configured to tunnel SOCKS5 traffic over HTTPS to the same command-and-control (C&amp;C) IP address.<\/span><\/li>\n<\/ul>\n<p>We also saw the threat actor rename a tool from <i>tunnel-core.exe<\/i> to <i>code.exe<\/i> and pass a single parameter (<i>client.toml<\/i>) to it. We observed communications to the IP address 96[.]9[.]125[.]227 on port 8067, however the tool itself was not available for further inspection.<\/p>\n<p>The deployment of multiple tunneling tools to the same C&amp;C address suggests operational redundancy, ensuring persistent outbound connectivity even if individual tools are detected and blocked. All tools were staged in C:\\Users\\Public, consistent with the group&#8217;s known preference for publicly writable staging directories.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>In mid-December 2025, SHADOW-EARTH-053 retrieved one ShadowPad sample from the IP address 194[.]38[.]11[.]3 listening on port 1790. Sandbox telemetry showed Linux samples being retrieved from the same IP and port in early December. These samples were <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html\">NOODLERAT<\/a> ELF files, a malware family that is shared among multiple groups performing espionage or cybercrime, and which we have extensively <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html\">covered<\/a> in previous blog entries.<\/p>\n<p>The NOODLERAT samples used the domain check[.]office365-update[.]com as C&amp;C, which was registered on November 19, 2025. This domain name matches registration patterns found for other recent domain names belonging to SHADOW-EARTH-053. For these reasons, and following our <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/threat-attribution-framework-how-trendai-applies-structure-over-speculation\">threat attribution framework<\/a>, we attribute these samples to SHADOW-EARTH-053 with low confidence.&nbsp; These samples were also observed by <a href=\"https:\/\/www.sophos.com\/en-us\/blog\/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution\">multiple<\/a> <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/threat-actors-exploit-react2shell-cve-2025-55182\">vendors<\/a> as part of the active exploitation of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/15\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/\">CVE-2025-55182<\/a> (React2Shell).<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p><b>RingQ<\/b><\/p>\n<p>In one targeted environment, we detected a sample of RingQ, which is an open-source tool of Chinese origin available on GitHub that is designed to pack malicious binaries in order to evade detection by security solutions.<\/p>\n<p>The intrusion set also uses domain names that impersonate products, security solution companies, or are related to the DNS protocol, likely to make them appear legitimate.<\/p>\n<p>We also observed the group renaming legitimate Windows system binaries to evade process-based detection. In one incident, <i>net.exe<\/i> was copied to C:\\ProgramData with randomized filenames using a <i>$[RANDOM].log<\/i> naming pattern (e.g., <i>$D5PLAA1.log<\/i>, <i>$9XF5WLD.log<\/i>). PowerShell binaries were similarly disguised (e.g., <i>$C06KCQ2.log<\/i>, <i>$VMB9AIT.log<\/i>, <i>$6T8BLJP.log<\/i>). This technique targets security solutions that rely on process name matching rather than binary hash verification.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>SHADOW-EARTH-053 uses Windows Management Instrumentation Command-line (WMIC) for lateral movement, installing backdoors and tools onto additional hosts. We also observed the group deploying a suspected custom remote desktop protocol (RDP) launcher (under the name <i>smss.exe<\/i>) and a C# implementation of SMBExec known as <a href=\"https:\/\/github.com\/checkymander\/Sharp-SMBExec\/\">Sharp-SMBExec<\/a>.<\/p>\n<p>In one environment, the group propagated web shells to additional internal Exchange servers by copying them over administrative shares (e.g., <i>copy charcode.aspx \\\\[IP]\\c$\\inetpub\\wwwroot\\aspnet_client\\system_web\\<\/i>). This technique allows rapid expansion across the Exchange infrastructure without deploying additional tooling, leveraging existing administrative credentials and the compromised web shell as an execution platform.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>The group collects credentials that can be used to further its objectives, notably through the use of the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9\/detection\">Evil-CreateDump<\/a> tool.&nbsp; The tool appears to be based on Microsoft&#8217;s <a href=\"https:\/\/fossies.org\/windows\/misc\/PowerShell-7.5.4-win-x64.zip\/\"><i>create-dump.exe<\/i><\/a> utility, likely modified to target LSASS process memory for credential extraction.&nbsp;<\/p>\n<p>Mimikatz was executed directly via <i>rundll32.exe<\/i> with command-line arguments for credential extraction (sekurlsa::logonpasswords) and local SAM database dumping (lsadump::sam). These commands were spawned by the IIS worker process (<i>w3wp.exe<\/i>), confirming execution through a web shell.<\/p>\n<p>Additionally, we observed the group dropping and executing a binary called <i>newdcsync<\/i>, which, based on the command line and filename, was likely used for DCSync attacks.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>We observed the attacker deploying the RAR executable, and in one instance, we saw the creation of a password-protected RAR archive containing messages (a PST file) from an executive in the targeted company.<\/p>\n<p>In one specific case, SHADOW-EARTH-053 used its access to the victim\u2019s Exchange server to install a snap-in for Exchange management.&nbsp; The process revealed an iterative approach: initial attempts to enumerate mailboxes via Get-Mailbox failed, prompting the attacker to explicitly load the snap-in (<i>Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn<\/i>) and bypass execution policy. Subsequent iterations refined the technique further, switching from Get-Mailbox to Get-User for a broader scope, and adding fields such as userAccountControl and AccountDisabled to identify active high-value accounts. This progression from noisy initial attempts to more refined, stealthier commands was observed within a single session.<\/p>\n<p>Additionally, the threat actor used a custom \u201cExchangeExport\u201d tool to export&nbsp; the mailbox content of high-profile users via the Exchange Web Services (EWS) API. Microsoft observed similar activity by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/05\/silk-typhoon-targeting-it-supply-chain\/\">Silk Typhoon<\/a> (Hafnium). Unfortunately, the tool could not be retrieved for further analysis.<\/p>\n<p>Our investigation indicates that this campaign has a distinct geographic focus, primarily targeting governmental entities, mostly in Asia. Most observed targets were concentrated in South, East, and Southeast Asia, particularly:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Pakistan<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Thailand<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Malaysia<\/span><\/li>\n<li><span class=\"rte-red-bullet\">&nbsp;India<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Myanmar<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Sri Lanka<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Taiwan<\/span><\/li>\n<\/ul>\n<p>Note that despite focusing on Asia, the threat actor\u2019s footprint extended beyond this region, with at least one target in Poland. This distribution suggests a strategic interest in Asian geopolitical entities, while the global targets may indicate opportunistic exploitation or a broadening of the group\u2019s scope.<\/p>\n<p>Beyond the government sector, SHADOW-EARTH-053 also targeted the technology industry. In at least two countries, we observed the group focusing on IT consulting firms holding government contracts, particularly those that listed the Ministry of Defense as one of their customers.<\/p>\n<p>Finally, we found limited number of victims within the transportation industry in Southeast Asia.<\/p>\n<p>Our investigation revealed that multiple targets were compromised up to 8 months before the deployment of ShadowPad, using identical entry points. In these earlier instances, the attackers gained access via vulnerable IIS or Microsoft Exchange servers and subsequently deployed web shells to maintain persistence.<\/p>\n<p>Three possible scenarios may explain the relationship between the groups:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Independent exploitation:<\/b> SHADOW-EARTH-053 independently exploited these servers by leveraging the same vulnerabilities previously used by SHADOW-EARTH-054. This scenario matches the &#8220;Type A&#8221; collaboration from our Premier Pass-as-a-Service model <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/premier-pass-as-a-service.html\">published<\/a> last year. This involves the deployment of backdoors through web shells, exploitation of vulnerable public facing servers, and similar initial access techniques. In such cases, any observed coordination between intrusion sets is likely incidental rather than intentional.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Asset repurposing:<\/b> SHADOW-EARTH-053 simply repurposed the web shells left behind from the earlier intrusion by SHADOW-EARTH-054.<b><u><\/u><\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Same group<\/b>: SHADOW-EARTH-053 and SHADOW-EARTH-054 are a single group using multiple TTPs.<\/span><b><u><\/u><\/b><\/li>\n<\/ul>\n<p>In three recent cases, a malicious loader family attributed to SHADOW-EARTH-054 was detected in organizations previously targeted by SHADOW-EARTH-054 and later by SHADOW-EARTH-053. The same vulnerabilities were exploited again to deliver this loader, with no apparent connection to previously deployed malware. This pattern reinforces our assessment of a Type A collaboration \u2014 independent exploitation of the same vulnerabilities, with no evidence of operational coordination between the two intrusion sets. It also renders the third scenario unlikely, as targeting an already-compromised organization using a different malware toolkit would be operationally inconsistent.<\/p>\n<p>In addition to the similarities in initial breach vectors, we identified significant overlap in <b>post-exploitation capabilities<\/b>. Both groups utilized an identical toolkit, leveraging a mix of custom-developed malware and utilities:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Evil-CreateDump<\/span><\/li>\n<li><span class=\"rte-red-bullet\">IOX Proxy<\/span><\/li>\n<\/ul>\n<p>Notably, our analysis confirmed that these artifacts shared <b>identical file hashes<\/b>, indicating the use of the exact same binaries rather than just similar software.<\/p>\n<p>Notably, the following activity sequence was observed at the same endpoints:<\/p>\n<ol>\n<li>Compromise with SHADOW-EARTH-054 malware (late 2024\/early 2025).<\/li>\n<li>Deployment of ShadowPad implants by SHADOW-EARTH-053 (mid-2025).<\/li>\n<li>Re-exploitation by SHADOW-EARTH-054 (early 2026).<\/li>\n<\/ol>\n<p>The following image shows the timeline of events:<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/d\/inside-shadow-earth-053.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60630,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9511,9513,9509],"class_list":["post-60629","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/shadow-earth_976:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia\",\"datePublished\":\"2026-04-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/\"},\"wordCount\":1600,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/\",\"name\":\"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png\",\"datePublished\":\"2026-04-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/","og_locale":"en_US","og_type":"article","og_title":"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-30T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/shadow-earth_976:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia","datePublished":"2026-04-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/"},"wordCount":1600,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/","url":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/","name":"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png","datePublished":"2026-04-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia.png","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-sectors-in-asia\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60629"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60629\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60630"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}