Shadow-Earth-053: China-Aligned Espionage Across Asia and a NATO State (May 2026)

On 1 May 2026, Trend Micro researchers Daniel Lunghi and Lucas Silva published an analysis of a China-aligned cyberespionage campaign they track as Shadow-Earth-053. The campaign is notable less for any single novel technique than for its breadth and its target selection: government ministries, defense-adjacent contractors, and transportation organizations across at least eight countries in Asia, plus one European NATO member (Poland), alongside journalists and diaspora activists from Uyghur, Tibetan, Taiwanese, and Hong Kong communities.

This pairing — government and defense targets on one hand, civil-society and diaspora targets on the other — is a recurring signature of China-aligned operations, and it is the part defenders outside the named victim set should pay closest attention to. The intrusion tradecraft is conventional: exploit an unpatched internet-facing server, drop a web shell, establish persistence with a known backdoor, and move laterally. That conventionality is the point. Shadow-Earth-053 did not need zero-days. It needed organizations that had not patched.

We summarize Trend Micro's reporting below, flag what is attributed versus inferred, and translate the technical chain into detection and remediation steps. Attribution to a "China-aligned" cluster is Trend Micro's assessment based on tooling, infrastructure, and victimology overlap; we report it as such.

TL;DR

• Trend Micro disclosed Shadow-Earth-053, a China-aligned espionage campaign, on 1 May 2026; it relates the cluster to prior activity tracked as CL-STA-0049, Earth Alux, and REF7707.
• Targets span Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland — government, defense-adjacent, and transportation organizations — plus journalists (including ICIJ members) and diaspora activists.
• Initial access was primarily N-day exploitation of internet-facing Microsoft Exchange and IIS servers (e.g., the ProxyLogon chain), not zero-days.
• The actors deployed the Godzilla web shell for persistence and staged ShadowPad via DLL sideloading of legitimately signed executables; a Linux backdoor (Noodle RAT / ANGRYREBEL variant) was also observed.
• Post-exploitation tooling included Mimikatz, Sharp-SMBExec, RingQ, and tunneling utilities IOX, GOST, and Wstunnel; phishing used credential harvesting, OAuth token manipulation, and 1x1 tracking pixels.
• Key action: this is an N-day and patch-hygiene problem first. Find and patch internet-facing Exchange/IIS, hunt for Godzilla web shells and sideloading artifacts, and treat unpatched edge systems as compromised until proven otherwise.

What happened

Trend Micro's report describes a long-running cluster, first reported to its private Threat Intelligence Hub subscribers earlier in 2026 and publicly disclosed on 1 May 2026. The campaign's dual targeting is the defining feature.

The government and defense side hit ministries, defense-adjacent contractors, and transportation organizations across the Asia region. The named countries are Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan in Asia, plus Poland as the sole European/NATO target. Trend Micro situates Shadow-Earth-053 alongside related clusters it references as CL-STA-0049, Earth Alux, and REF7707, and notes secondary activity it associates with names such as GLITTER CARP and SEQUIN CARP.

The civil-society side targeted journalists — including members of the International Consortium of Investigative Journalists (ICIJ) — and activists from Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora groups. Trend Micro credits Citizen Lab with insight into the phishing campaigns against these targets, and notes supplementary observations from Proofpoint. This is the classic transnational-repression pattern layered on top of strategic espionage.

How the attack worked

The intrusion chain Trend Micro documents is methodical and, importantly, built on known vulnerabilities.

Initial access: N-day exploitation of edge servers

The actors exploited long-known but still-unpatched vulnerabilities in internet-facing Microsoft Exchange and IIS servers — the ProxyLogon-style chains are cited as representative. These are bugs with patches available for years. The campaign's success against them is a patch-management indictment, not a sophistication story.

Persistence: Godzilla web shells

After exploitation, the actors deployed the Godzilla web shell to maintain persistent access to the compromised servers. Godzilla is a well-documented, AES-encrypted web shell whose traffic is designed to blend with normal HTTP. Its presence on an Exchange or IIS host is a strong compromise indicator.

Backdoor staging: ShadowPad via DLL sideloading

The actors staged ShadowPad — a modular backdoor associated with multiple China-nexus operations — using DLL sideloading. The pattern: drop a legitimately signed executable alongside a malicious DLL that the executable loads, so the malicious code runs under the cover of a trusted binary. A Linux-targeting backdoor that Trend Micro relates to Noodle RAT / ANGRYREBEL was also observed.

The sideloading pattern looks structurally like this. The following is an illustrative, non-functional sketch of the directory layout, not a working sample:

# Illustrative DLL-sideloading layout (not functional malware)
C:\ProgramData\<vendor>\
  ├─ TrustedSignedApp.exe      # legitimate, signed binary
  ├─ version.dll               # malicious loader — sideloaded by the EXE
  └─ data.dat                  # encrypted ShadowPad payload, decrypted by loader

Lateral movement and exfiltration

Post-exploitation, the actors used Mimikatz for credential theft, Sharp-SMBExec and RingQ for lateral movement and execution, and the tunneling tools IOX, GOST, and Wstunnel to relay traffic and exfiltrate data while masking their paths. Against the civil-society targets, the phishing tradecraft included credential-harvesting pages, OAuth token manipulation, and 1x1 tracking pixels to confirm reads and profile recipients.

What detection looks like

Concrete signals, prioritized to the most reliable indicators:

• Web shells on Exchange/IIS. Hunt for newly written .aspx, .ashx, or .jsp files in web roots, especially with recent timestamps, obfuscated content, or AES-style request/response patterns. Godzilla traffic often shows distinctive header and body encoding.
• DLL sideloading artifacts. Alert when a signed executable in a non-standard directory (e.g., ProgramData, user temp paths) loads an unsigned or mismatched DLL such as version.dll. Correlate signed-EXE plus suspicious-DLL pairs.
• Exchange/IIS exploitation telemetry. Monitor IIS logs for ProxyLogon-style request patterns (SSRF to backend endpoints, autodiscover abuse) and unexpected child processes spawned by w3wp.exe.
• Credential-access and lateral-movement tooling. Mimikatz, Sharp-SMBExec, and RingQ have well-known behavioral and on-disk signatures. Tunneling tools IOX, GOST, and Wstunnel generate anomalous long-lived outbound connections.
• Phishing against high-risk individuals. For organizations with journalists or activists, watch for OAuth consent grants to unfamiliar apps and 1x1 tracking-pixel beacons in inbound mail.

Illustrative hunt logic for sideloading, adapt to your EDR schema:

# Illustrative — adapt field names to your tooling.
ALERT WHEN
  module.signed = false
  AND parent_process.signed = true
  AND parent_process.path NOT IN known_install_dirs
  AND module.name IN ("version.dll","wininet.dll","dbghelp.dll")

What to do Monday morning

Ordered by urgency:

1. Find and patch internet-facing Exchange and IIS. This campaign runs on N-days. Enumerate every externally reachable Exchange/IIS instance, confirm patch level against the ProxyLogon family and later Exchange CVEs, and patch or take offline anything behind.
2. Hunt for Godzilla and other web shells on those hosts. Treat unpatched edge servers as compromised until you have hunted. Inspect web roots for recently modified handler files and anomalous encoded traffic.
3. Sweep for DLL-sideloading pairs. Search for signed executables running from non-standard paths alongside suspicious DLLs; ShadowPad staging depends on this technique.
4. Rotate credentials exposed to compromised hosts. If a server is suspect, assume Mimikatz harvested cached credentials. Reset and force re-authentication for affected accounts and service principals.
5. Review OAuth grants and tracking-pixel beacons for any high-risk users (journalists, activists, executives) and revoke unfamiliar app consents.
6. Decommission unsupported edge devices and servers. End-of-support internet-facing systems are the exact attack surface this campaign exploits.

Why this keeps happening

The structural problem is that internet-facing servers running widely deployed software remain unpatched for years, and the most capable espionage actors have industrialized the exploitation of that gap. Shadow-Earth-053 needed no zero-day because enough organizations leave Exchange and IIS exposed and behind on patches. The civil-society targeting compounds the harm: journalists and diaspora activists rarely have enterprise-grade defenses, and the same actor pivots from a hardened government network to an undefended individual using the same toolkit.

Mandiant's broader 2026 reporting has flagged the same macro trend — exploitation of vulnerabilities overtaking phishing as the leading initial-access vector, with edge and core network devices deliberately targeted because they lack EDR telemetry. Shadow-Earth-053 is a concrete instance of that pattern.

The structural fix

No tool prevents a state-aligned actor from trying. What shortens dwell time is closing the N-day window and catching post-exploitation faster. Reducing the patch backlog with reachability analysis lets teams prioritize the internet-facing, exploitable flaws that campaigns like this depend on, and zero-day response workflows compress the gap between an advisory and a deployed fix on exposed servers. For the sideloading and signed-binary abuse, supply-chain integrity controls — verifying provenance and signatures via SLSA provenance and Sigstore/Cosign — make it harder for a malicious DLL to ride a trusted executable unnoticed, and policy enforcement can flag drift on edge hosts. These reduce blast radius; they do not guarantee prevention.

What we know we don't know

Trend Micro's attribution to a China-aligned cluster is an assessment from tooling, infrastructure, and victimology, not a government attribution statement. The exact relationship between Shadow-Earth-053 and the related clusters (CL-STA-0049, Earth Alux, REF7707) is described as overlapping rather than identical, and the threat-intelligence community frequently splits and merges such clusters as evidence accumulates. The full victim count beyond the named countries is not public, and Trend Micro notes additional likely-affected organizations it did not enumerate. Treat the campaign and tradecraft as well-documented and the precise cluster boundaries as provisional.

References

• China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists — The Hacker News (1 May 2026)
• Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia — Trend Micro
• 1 Campaign, 2 Targets: China's Cyber Operations Hit Asian Governments and Dissidents Abroad — The Diplomat (May 2026)
• Researchers uncover vast cyberespionage operation targeting dozens of governments worldwide — The Record
• Safeguard: Reachability analysis, Zero-day response, SLSA provenance, Sigstore, Policy enforcement, Incident response