EXECUTIVE SUMMARY
A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. The group's goal is likely data theft and intellectual property theft, targeting government entities and critical infrastructure sectors in South, East, and Southeast Asia, as well as one NATO member state. The attackers are using a combination of web shells and ShadowPad implants to maintain access and execute commands on compromised systems. This campaign represents a persistent and methodical China-aligned threat actor operating across Asia and beyond.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. The group's goal is likely data theft and intellectual property theft, targeting government entities and critical infrastructure sectors in South, East, and Southeast Asia, as well as one NATO member state. The attackers are using a combination of web shells and ShadowPad implants to maintain access and execute commands on compromised systems. This campaign represents a persistent and methodical China-aligned threat actor operating across Asia and beyond.[emaillocker id="1283"]
The malware infects systems by exploiting external services, targeting server-based N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services servers. After compromising the server, the group deploys web shells and stages ShadowPad implants via DLL sideloading of legitimate signed executables. The use of legitimate executables vulnerable to DLL sideloading is a common tactic used by the group to maintain persistence and evade detection. The attackers also leverage the IOX proxy to enable lateral movement via Pass-the-Hash and deploy multiple tunneling tools to establish covert communication channels.
This threat is significant for organisations, particularly those operating internet-facing Microsoft Exchange or IIS infrastructure, as the group continues to exploit long-known but still-unpatched vulnerabilities in these systems. Organisations should treat this campaign as a strong signal to audit patch levels, review web shell detection capabilities, and scrutinise outbound traffic from web servers. Implementing strict File Integrity Monitoring (FIM) on critical web directories, restricting permissions, disabling unused features, and enforcing application whitelisting can help reduce the attack surface. Monitoring endpoint detection and response (EDR) telemetry for suspicious child processes and anomalous network traffic can also help detect potential web shell deployments.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1070 | Indicator Removal | — |
| Privilege Escalation | T1134 | Access Token Manipulation | — |
| Defense Evasion | T1136 | Create Account | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1218 | System Binary Proxy Execution | — |
| Defense Evasion | T1553 | Subvert Trust Controls | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Credential Access | T1056 | Input Capture | — |
| Lateral Movement | T1021 | Remote Services | — |
| Command and Control | T1071 | Application Layer Protocol | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1102 | Web Service | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html
[/emaillocker]