Cyber Espionage Campaign Targeting Asia and Europe
TL;DR
Recent activity linked to the SHADOW-EARTH-053 group has revealed a cyber espionage campaign aiming at government and defense organizations across Asia and Europe. Exploiting vulnerabilities in Microsoft Exchange servers, the campaign enables persistent access and extensive post-exploitation capabilities.
Main Analysis
Trend Micro has identified the threat cluster SHADOW-EARTH-053 as being associated with cyber espionage directed at multiple sectors, including government, defense, telecommunications, and transportation. This group has been active since late 2024 and has prominently exploited vulnerabilities, particularly CVE-2021-26855, to gain initial access to targeted systems. Subsequent actions involve deploying the GODZILLA web shell for persistence and conducting further activities like credential dumping and lateral movement using various tools such as Mimikatz and custom tunneling utilities.
SHADOW-EARTH-053 establishes initial access through known vulnerabilities, specifically in Microsoft Exchange servers. The exploitation results in the deployment of web shells, enabling attackers to maintain control over compromised systems. The observed filenames for these web shells, such as “error.aspx” and “signout.aspx,” indicate strategic placement within critical directories. Following this, attackers engage in credential harvesting and use tunneling technologies like IOX and Wstunnel for covert communications, allowing for lateral movement within networks.
The malware ShadowPad is critical in the attacker’s toolkit, employed through techniques such as DLL side-loading to ensure stealth and continuity of operations. In limited cases, the presence of Noodle RAT, associated with a different vulnerability (CVE-2025-55182), was noted, although its role remains uncertain. The detailed operational methods of the group illustrate a sustained capability to compromise enterprise infrastructure, reminiscent of established cyber espionage frameworks.
Defensive Context
Organizations in sectors targeted, especially in government and defense, should be particularly vigilant against this threat. The exploitation of Microsoft Exchange vulnerabilities means that entities running unsupported or outdated versions are especially at risk. The techniques employed in this campaign necessitate a forensic approach to incident response, examining web server directories and monitoring for unusual patterns of credential access and tunneling activities.
Why This Matters
The implications of this campaign are significant. Organizations exposed to these vulnerabilities may face severe breaches, resulting in data loss or unauthorized access to sensitive information. The ongoing nature of these attacks underlines a persistent threat, emphasizing the need for appropriate defenses tailored to current attacker methodologies.
Defender Considerations
Monitoring for unauthorized web shells and credential dumping activities is crucial in mitigating the risk of compromise. Continued vigilance against tunneling activity, especially involving tools like IOX, GOST, and Wstunnel, may provide early detection opportunities. Identifying and blocking known malicious IP addresses and domains associated with SHADOW-EARTH-053 will be essential for organizational defense.
Indicators of Compromise (IOCs)
- IP Addresses:
- 141.164.46.77
- 96.9.125.227
- 194.38.11.3
- Domains:
- time.microsofttrends.com
- erp.kaspersky.icu
- check.office365-update.com
- File Hashes:
- TosBtKbd.dll: SHA-256: e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020
- mdync.exe: SHA-256: 3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97
