Business search APT & Targeted Attacks Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A China-aligned threat cluster tracked as SHADOW-EARTH-053 has been exploiting unpatched Microsoft Exchange and IIS servers through the ProxyLogon vulnerability chain to deploy web shells and install the ShadowPad malware family. The group relies on DLL sideloading through legitimate signed binaries, registry-based payload execution, and multiple tunneling tools to preserve covert command-and-control access. Observed victims include government ministries, defense-linked contractors, and transportation entities across several Asian countries as well as one NATO member state. The activity highlights the ongoing danger posed by older Exchange flaws when paired with mature post-compromise tradecraft.
Investigation
Researchers documented web shell deployment using filenames such as error.aspx and tunnel.ashx in common IIS directories, followed by ShadowPad delivery through DLL sideloading with trusted executables such as runtimebroker.exe. They also identified additional backdoors, including mdync.exe, communicating with external infrastructure, while tunneling tools such as GOST, Wstunnel, and code.exe were staged in C:\Users\Public. Credential theft activity involved Mimikatz and custom utilities like Evil-CreateDump and newdcsync, executed via the IIS worker process. Persistence was supported through registry changes such as LocalAccountTokenFilterPolicy and scheduled tasks including M1onltor.
Mitigation
Organizations should apply all available security updates for Microsoft Exchange Server and IIS, with priority given to the ProxyLogon-related CVEs. Web application firewalls or intrusion prevention controls should be configured to block exploit attempts before execution. Defenders should also enforce file integrity monitoring on web-facing directories and prevent unauthorized creation of .aspx, .ashx, or .jsp files. Additional hardening steps include restricting IIS process permissions, reducing write access, monitoring child processes launched by w3wp.exe, disabling unused services, and applying application allow-listing on critical servers.
Response
Security teams should alert on the appearance of unknown .aspx or .ashx files within IIS paths and on scheduled tasks named M1onltor. Detection coverage should also include execution of tools such as Mimikatz and PowerView, as well as DLL sideloading activity involving signed binaries. Outbound communication to the identified malicious IP addresses and the domain check[.]office365-update[.]com should be blocked immediately. Incident responders should then perform forensic review of suspicious values under HKEY_CURRENT_USER\Software and remove any unauthorized scheduled tasks or persistence artifacts.
"graph TB %% Class definitions section classDef technique fill:#99ccff classDef operator fill:#ff9900 %% Node definitions tech_exploit_pf["<b>Technique</b> – <b>T1190 Exploit Public-Facing Application</b><br/>Adversaries exploit vulnerabilities in Internet facing applications to gain initial access."] class tech_exploit_pf technique tech_webshell["<b>Technique</b> – <b>T1505.003 Server Software Component Web Shell</b><br/>Adversaries install a web shell on a compromised server to maintain persistent access."] class tech_webshell technique tech_code_sign["<b>Technique</b> – <b>T1553.002 Subvert Trust Controls Code Signing</b><br/>Adversaries sideload signed DLLs to execute malicious code while appearing trusted."] class tech_code_sign technique tech_masquerade["<b>Technique</b> – <b>T1036 Masquerading</b><br/>Adversaries rename utilities and pack them with tools such as RingQ to look legitimate."] class tech_masquerade technique tech_cred_dump["<b>Technique</b> – <b>T1003 OS Credential Dumping</b><br/>Adversaries obtain credentials from the operating system using tools like Mimikatz, Evil CreateDump or DCSync."] class tech_cred_dump technique tech_account_manip["<b>Technique</b> – <b>T1098.002 Account Manipulation Email Delegate Permissions</b><br/>Adversaries add themselves as delegates to victim mailboxes to read and send email."] class tech_account_manip technique tech_exploit_remote["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/>Adversaries use WMIC or SMBExec to run commands on remote hosts for lateral movement."] class tech_exploit_remote technique tech_proxy["<b>Technique</b> – <b>T1090 Proxy</b><br/>Adversaries employ proxy tools such as GOST, Wstunnel or tunnel core to relay traffic through multiple hops."] class tech_proxy technique tech_tunnel["<b>Technique</b> – <b>T1572 Protocol Tunneling</b><br/>Adversaries tunnel traffic over SOCKS5 or HTTPS protocols to communicate with command and control."] class tech_tunnel technique tech_email_collect["<b>Technique</b> – <b>T1114 Email Collection</b><br/>Adversaries harvest email data from Exchange servers using Exchange Web Services APIs."] class tech_email_collect technique tech_archive["<b>Technique</b> – <b>T1567.001 Archive Collected Data</b><br/>Adversaries compress stolen data into a password protected RAR archive for exfiltration."] class tech_archive technique %% Connections showing flow tech_exploit_pf –>|leads to| tech_webshell tech_webshell –>|uses| tech_code_sign tech_webshell –>|uses| tech_masquerade tech_webshell –>|enables| tech_cred_dump tech_cred_dump –>|enables| tech_account_manip tech_webshell –>|enables| tech_exploit_remote tech_exploit_remote –>|facilitates| tech_proxy tech_proxy –>|enables| tech_tunnel tech_webshell –>|enables| tech_email_collect tech_email_collect –>|leads to| tech_archive "
Attack Flow
Detections
Possible Web Server or WebApp Exploitation [Windows] (via cmdline)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Possible Mimikatz Arguments Detected (via cmdline)
View
Possible ShadowPad Malware Dll Load Patterns (via image_load)
View
Possible Webshell Creation In Microsoft Exchange / Sharepoint Directories (via file_event)
View
IOCs (HashSha256) to detect: Business search APT & Targeted Attacks Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
View
IOCs (SourceIP) to detect: Business search APT & Targeted Attacks Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
View
IOCs (DestinationIP) to detect: Business search APT & Targeted Attacks Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
View
Detection of Potential Tunneling Tools Staging in Common Directories [Windows File Event]
View
Detection of Beaconing and C&C Connections in SHADOW-EARTH-053 Campaign [Windows Network Connection]
View
Detection of Shadow-Earth-053 Exploiting Microsoft Exchange Vulnerabilities [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary has obtained a custom tunneling binary (e.g.,tunnel.exe) on the compromised host. To avoid detection during initial download, the binary is staged inC:ProgramData, a directory commonly writable by standard users and frequently used for legitimate installations. After staging, the attacker will later execute the tool to establish a covert channel. The staging step is performed with PowerShell’sCopy-Item, producing a file‑creation event that matches the detection rule’s path criteria. -
Regression Test Script:
# Simulation of tool staging in a monitored directory $stagingPath = "C:ProgramDatatunnel.exe" $payload = [IO.Path]::GetTempFileName() # Create a dummy binary (random bytes) to mimic a real tool $rand = New-Object byte[] 1024 (New-Object System.Random).NextBytes($rand) Set-Content -Path $payload -Value $rand -Encoding Byte -Force # Copy the dummy binary to the staging location Copy-Item -Path $payload -Destination $stagingPath -Force # Output for manual verification Write-Host "Staged dummy tunneling tool at $stagingPath" -
Cleanup Commands:
# Remove the staged file and temporary payload Remove-Item -Path "C:ProgramDatatunnel.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path $payload -Force -ErrorAction SilentlyContinue Write-Host "Cleanup completed."