- 09
- May
Trend Micro has disclosed an espionage campaign tracked as SHADOW-EARTH-053 — a China-aligned APT cluster active since at least December 2024 — targeting government and defense organizations across seven Asian countries: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, plus Poland in Europe (the only NATO member touched). The unsettling part — the group leans heavily on "Living-off-the-Land" tactics, abusing AnyDesk (a legitimate, signed remote-desktop product) alongside ShadowPad backdoor and Godzilla web shells to slip past enterprise EDR. To most security tools, the activity simply looks like normal IT work — even though a backdoor is sitting underneath.
Quick summary: What is SHADOW-EARTH-053 and why it matters?
- Threat actor: China-aligned APT — Trend Micro tracks it as SHADOW-EARTH-053 since Dec 2024 — overlaps with CL-STA-0049, Earth Alux, REF7707 (Google links to UNC6595)
- Targets: Government + defense across 7 Asian countries — including Thailand, plus Pakistan, Malaysia, India, Myanmar, Sri Lanka, Taiwan
- Initial access: Exploits N-day CVEs (patched but unpatched-in-the-wild) on internet-facing Microsoft Exchange + IIS — especially the ProxyLogon chain
- Primary tooling: Godzilla web shell → ShadowPad backdoor (DLL sideloading) → AnyDesk (legitimate-tool abuse) + Noodle RAT (Linux variant via CVE-2025-55182)
- Supporting tools: Mimikatz (privilege escalation), IOX, GOST, Wstunnel (tunneling), Sharp-SMBExec, custom RDP launcher
- Thai impact: Government sector must urgently audit Exchange/IIS/AnyDesk usage — couples with the new PDPA Emergency Decree
1. Who Is SHADOW-EARTH-053 and Who Are They Hitting?
SHADOW-EARTH-053 is the cluster name Trend Micro Research uses to track a body of activity (not necessarily a single, named group) whose network indicators and TTPs (Tactics, Techniques, and Procedures) overlap with several well-known China-nexus actors:
| Topic | Detail |
|---|---|
| Origin | China-aligned APT (operating in line with Chinese state interests) |
| First observed | At least December 2024 |
| Cluster overlaps | CL-STA-0049 (Palo Alto), Earth Alux, REF7707 (Elastic), UNC6595 (Google Threat Intelligence Group) |
| Sectors hit | Government + defense |
| Regions | South, East, and Southeast Asia + Europe (Poland) |
| Confirmed countries | Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, Poland |
| Parallel cluster | SHADOW-EARTH-054 — nearly half of victims in Malaysia/Sri Lanka/Myanmar were also hit by this group |
The crucial point — Thailand is among the first seven countries explicitly named in Trend Micro's report, meaning Thai targets were genuinely compromised and used as telemetry sources. In the broader context of cyber attacks against Thailand, this is a clear signal that nation-state threat actors view Thailand as a strategic target — not just collateral damage.
2. The 5-Stage Attack Chain — Understanding How They Get In
SHADOW-EARTH-053's intrusion is multi-stage, with each step relying on something that "looks normal" so the chain can survive detection:
| Stage | Technique | Tool | Purpose |
|---|---|---|---|
| 1. Initial Access | N-day CVE exploitation | Microsoft Exchange + IIS server (ProxyLogon chain) | Unpatched, internet-facing servers |
| 2. Foothold | Drop web shell | Godzilla (Chinese-language web shell, popular among Chinese APTs) | Remote command execution over HTTP |
| 3. Backdoor | DLL sideloading | ShadowPad (modular backdoor widely shared by Chinese APTs) + Noodle RAT (Linux) | Persistent access even after web shell is removed |
| 4. Persistence | Living-off-the-Land | AnyDesk (legitimate remote-access app installed from vendor) | Bypasses EDR — AnyDesk is a signed binary |
| 5. Lateral Movement | Privilege escalation + network expansion | Mimikatz, Sharp-SMBExec, IOX, GOST, Wstunnel, custom RDP launcher | Move to other hosts + exfiltrate via tunnel |
The chain reflects the modern APT principle — less custom malware, more legitimate-tool abuse — because most AV/EDR products don't block AnyDesk by default (it's a real productivity tool many organizations use). Signature-based detection simply doesn't catch it.
3. Why ShadowPad + AnyDesk Are So Hard to Detect
The short answer is — "Living-off-the-Land Binaries" (LOLBins) and legitimate-tool abuse have become one of the most dangerous APT trends of this era:
| Factor | Why It's Hard to Detect | What EDR Misses |
|---|---|---|
| AnyDesk is a signed binary | Vendor digital signature passes trust checks | EDR doesn't alert on signed remote-access tools |
| Network traffic looks normal | AnyDesk uses HTTPS/443 + its own relay servers | Firewalls/proxies don't block outbound HTTPS |
| ShadowPad uses DLL sideloading | A signed app loads a swapped malicious DLL | EDR sees a normal process tree, missing the swapped DLL |
| Godzilla encrypts payloads | Commands inside HTTP body are AES + Base64 encoded | Generic WAFs can't pattern-match the traffic |
| Multi-layer tunnels | IOX/GOST/Wstunnel rotate ports + protocols | Network monitors can't pin down the C2 channel |
Practically — relying on AV/EDR alone is not enough. You need behavioral monitoring + audit logs that flag "weird patterns" — for example, an admin starting an AnyDesk session with a foreign IP outside business hours. For deeper defense-in-depth context, see SSL Security Check.
4. Why Thai ERP/IT Teams Should Care
It's tempting to assume "this is a nation-state attack on government — private sector isn't the target." That's wrong, for four reasons:
- 1. Supply chain risk — private vendors and contractors serving government bodies are routinely used as "stepping stones" — similar to the Node.js supply-chain attack pattern
- 2. Same stack — many Thai ERP deployments run on ASP.NET/IIS or Java/Tomcat on Windows Server — the same stack that was breached
- 3. Web shells are stack-agnostic — Godzilla supports JSP, ASP.NET, and PHP — covering most ERP products on the market
- 4. PDPA Emergency Decree — if personal data leaks during such an incident and isn't reported within 72 hours, you risk criminal liability under the Apr 2025 Decree (up to 5 years' imprisonment) — see Thailand PDPA Crackdown 2026
That's why patching public-facing systems is the "first line of defense" every IT team must own — not just government.
5. 7-Point Hardening Checklist — What to Audit Today
Use this checklist as the starting point for an urgent risk assessment:
SHADOW-EARTH-053 hardening checklist for IT/ERP teams:
- Patch every Microsoft Exchange + IIS server — especially the ProxyLogon chain (CVE-2021-26855, 26857, 26858, 27065) and CVE-2025-55182 if you run a Linux web app
- Enable 2FA + disable NTLM — see 2FA Guide — reduces risk from Mimikatz credential dumps
- Inventory remote access tools — find every install of AnyDesk, TeamViewer, ScreenConnect — uninstall what you don't use
- Block AnyDesk relay servers at the firewall if your org doesn't permit AnyDesk — or allowlist only approved instances
- Audit web shell signatures — scan ERP/web app webroots for unexpected files (.aspx, .jsp, .php) that are not part of the deployment
- Monitor outbound SMB + RDP traffic — IOX/GOST/Wstunnel typically create unusual tunnels
- Set "after-hours AnyDesk session" alerts — flag any session starting after 18:00 or before 8:00 to your security team immediately
6. Indicators of Compromise (IOCs) to Hunt in Logs
If you have a SIEM or centralized logging, use the patterns below to start retroactive hunts:
| Type | What to Look For | Log Source |
|---|---|---|
| Web shell — Godzilla | POST requests with large Base64 in body, unusual headers like Cookie: key=... | IIS log, Apache/Nginx access log |
| ProxyLogon exploit | /owa/auth/Current/themes/resources/ + autodiscover.json | Exchange IIS log |
| AnyDesk session | Process AnyDesk.exe + outbound to *.relay.net.anydesk.com | Sysmon, Windows Event Log, firewall log |
| ShadowPad DLL sideload | Signed app loading an unsigned DLL from %APPDATA% or %TEMP% | EDR/Sysmon Event ID 7 |
| Mimikatz | Process access to lsass.exe from a non-system process | Sysmon Event ID 10 |
| Tunneling tools | Outbound TCP to ports 443/8443 from non-browser processes | Firewall log, NetFlow |
Note — SHADOW-EARTH-053 IOCs (hashes, IPs, domains) rotate quickly. What stays consistent is behavior (TTPs), as listed above. Prioritize behavior-based detection over signature-based.
7. PDPA + Criminal Liability — Why This Breach Won't End at Damages
Since the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No. 2) B.E. 2568 took effect on April 13, 2025, if a Thai entity is breached by SHADOW-EARTH-053 and personal data leaks, executives and staff may face two parallel legal paths:
- PDPC administrative fines — up to THB 5M per violation + repeatable — see PDPC's 8 fines
- Criminal penalties — up to 5 years' imprisonment + THB 500,000 fine if the data was used "commercially" or disclosed intentionally
Translation — failing to patch a CVE or to monitor a suspicious AnyDesk session is no longer just "exposure to a breach." Under current Thai law, it can rise to the level of negligence with potential criminal liability.
Summary
| Area | What to Do |
|---|---|
| Threat actor | SHADOW-EARTH-053 (China-aligned) — active since Dec 2024 — overlaps CL-STA-0049, Earth Alux, UNC6595 |
| Thai targets | Government + defense — private sector exposed via supply chain |
| Tooling | Godzilla web shell, ShadowPad, AnyDesk, Mimikatz, Noodle RAT, IOX/GOST/Wstunnel |
| Initial vector | Unpatched Exchange + IIS (ProxyLogon) — patching is the first line |
| Detection challenge | AnyDesk is a signed binary — needs behavioral monitoring + SIEM, not AV alone |
| Compliance impact | If personal data leaks: PDPC fine + 5-year criminal penalty under Emergency Decree |
"SHADOW-EARTH-053 reminds us — nation-state APTs no longer arrive as exotic malware. They arrive through the systems we forgot to patch and the tools we already trust, like AnyDesk. Defense is no longer about installing AV. It requires visibility across every link in the chain — from web-server patches all the way to remote-access session logs."
References
- The Hacker News — China-Linked Hackers Target Asian Governments (May 2026)
- Trend Micro Research — Earth Estries / SHADOW-EARTH-053 Cluster
- Kaspersky SecureList — ShadowPad Backdoor Analysis
- MITRE ATT&CK — ShadowPad (S0596)
- CISA Cybersecurity Advisories — ProxyLogon & Web Shell Mitigation
Is Your Internet-Facing ERP Patched? Audit Log Tamper-Proof?
Saeree ERP runs on Linux + PostgreSQL with built-in 2FA, role-based access, tamper-proof audit logs, and encryption — reducing attack surface by design. Get a free assessment of where your gaps are today.
Free ConsultationCall 02-347-7730 | sale@grandlinux.com
