What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·5 min read

By Lyrie Threat Intelligence·5/1/2026

The Infrastructure That Knows Your Secrets: SHADOW-EARTH-053 Owns Asian Governments and a NATO Member

TL;DR

Trend Micro disclosed SHADOW-EARTH-053, a China-aligned threat group exploiting N-day flaws in Microsoft Exchange and IIS servers to breach government and defense sectors across Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland (NATO). The group deploys Godzilla web shells, ShadowPad backdoors, and custom lateral-movement tools to maintain persistence and extract intelligence.

What Happened

On May 1, 2026, Trend Micro published a full technical breakdown of SHADOW-EARTH-053, a state-sponsored espionage campaign targeting government, defense, and critical infrastructure sectors across eight countries in Asia, plus Poland—a NATO member state. The threat group, assessed as active since at least December 2024, has been systematically exploiting unpatched Microsoft Exchange and IIS servers to gain initial access, deploy persistent web shells, and stage advanced malware implants designed for long-term intelligence gathering.

The campaign represents a textbook state-sponsored operation: deliberate, methodical, and patient. Rather than spraying ransomware or stealing credit cards, SHADOW-EARTH-053 is collecting government secrets—the kind that reshape geopolitical calculations.

Technical Details

Attack Chain: Exchange Exploitation to ShadowPad Implantation

Stage 1: Web Shell Deployment

Exploits N-day vulnerabilities in internet-facing Microsoft Exchange servers (ProxyLogon chain)
Also targets IIS web applications for initial compromise
No zero-days required—just unpatched systems

Stage 2: Persistence & Reconnaissance

Deploys Godzilla web shells (an open-source Chinese-language web shell framework)
Uses web shells as a command execution vehicle for:

- Network reconnaissance

- Credential harvesting

- System discovery

Stage 3: Backdoor Deployment

Stages ShadowPad backdoor via DLL sideloading of legitimate signed executables
ShadowPad provides encrypted command & control and advanced capabilities
AnyDesk used as a delivery mechanism for malware staging

Stage 4: Lateral Movement & Exfiltration

Privilege escalation via Mimikatz
Lateral movement using:

- Custom RDP launcher

- Sharp-SMBExec (C# implementation of SMBExec)

- Open-source tunneling tools: IOX, GO Simple Tunnel (GOST), Wstunnel, RingQ

Data exfiltration through encrypted tunnels

Linux Compromise Vector

React2Shell (CVE-2025-55182) weaponized to distribute Linux version of Noodle RAT (aka ANGRYREBEL)
Google Threat Intelligence Group (GTIG) linked this to UNC6595
Indicates cross-platform targeting of infrastructure

Related Clusters: SHADOW-EARTH-054, GLITTER CARP, SEQUIN CARP

Nearly half of SHADOW-EARTH-053 targets also compromised by SHADOW-EARTH-054 (distinct but overlapping cluster)
GLITTER CARP and SEQUIN CARP conduct targeted phishing against journalists, activists, and diaspora communities (Uyghur, Tibetan, Taiwanese, Hong Kong)
Shared infrastructure and phishing tactics suggest operational coordination or commercial contractor network

Lyrie Assessment: Why This Matters to CISOs

1. The Dwell-Time Problem

SHADOW-EARTH-053's operational model—patient, methodical, multi-stage—suggests long dwell times. An unpatched Exchange server compromised today might not be detected for weeks. By the time an SOC detects anomalous traffic, the attacker has already exfiltrated cabinet meeting notes, defense procurement files, and classified communications.

2. Persistence Through Legitimate Tools

This group's reliance on AnyDesk, RDP, and SMB lateral movement means they're invisible against behavioral baselines. Every government ministry uses RDP. Every IT department uses AnyDesk. An autonomous defense system must learn which connections are anomalous in context—not just flag them as suspicious.

3. The NATO Implication

Poland's inclusion shows this isn't just Asia-targeted. A NATO member being compromised signals this is a multi-theater intelligence operation. If Poland's government networks are under SHADOW-EARTH-053 surveillance, neighboring NATO states should assume the same reconnaissance posture applies to them.

4. The Journalist Targeting (GLITTER CARP/SEQUIN CARP)

The parallel campaigns against journalists and diaspora activists show this is a political intelligence operation, not purely military-technical espionage. Critical infrastructure orgs that work on energy, water, and transportation should note: China's state targeting journalists today means critical infrastructure is tomorrow's target list.

5. The Autonomous Defense Implication

SHADOW-EARTH-053 relies on:

Known CVEs (unpatched systems) → requires zero-trust patching orchestration that can't wait for quarterly patch Tuesdays
Web shell command execution → requires behavioral baseline anomaly detection (what's normal RDP traffic for this server vs. exfiltration?)
Encrypted tunneling → requires outbound traffic classification that doesn't depend on decryption (Lyrie's transparent inspection advantage)
DLL sideloading → requires process integrity monitoring that catches legitimate-looking executables doing illegitimate things

An autonomous defense platform would have caught this at Stage 1 (unpatched Exchange) or Stage 2 (anomalous web shell execution). By Stage 3, you've lost.

Recommended Actions

Immediate (24-48 Hours)

1. Inventory internet-facing Exchange and IIS servers

- Patch status: Are they on the latest cumulative update?

- Who has access? (Principle of least privilege)

- Logs: Do you have 90+ days of web server logs? (You'll need them for forensics)

2. Hunt for Godzilla web shells

- Search IIS logs for suspicious .aspx/.asmx files in unusual directories

- Trend Micro shared IOCs—feed them into your SIEM

3. Check for AnyDesk installations

- Unauthorized AnyDesk on critical infrastructure is a red flag

- Cross-reference with change management: was this authorized?

Near-term (1-2 Weeks)

1. Implement virtual patching

- IPS/WAF rules for ProxyLogon exploit attempts (even if patched, log attempts)

- CVE-2025-55182 (React2Shell) detection for Linux systems

2. Deploy outbound egress filtering

- Block Tor onion addresses (these threat actors use Tor-based C2)

- Monitor for DNS queries to domains associated with IOX, GOST, Wstunnel

3. Enable credential guard / LSA protection

- Makes Mimikatz harvesting harder

- Doesn't stop them, but slows lateral movement

Strategic

1. Assume breach

- If your Exchange server was unpatched for >30 days, assume SHADOW-EARTH-053 has eyes on it

- Run forensics on that machine as if you're in incident response mode

2. Federated identity + MFA everywhere

- Prevents lateral movement even if credentials are stolen

- These actors use credential harvesting—make stolen creds worthless

3. Behavioral anomaly detection

- RDP sessions that exfiltrate data at 3 AM from a normally-idle account = anomaly

- Web shells that encode command output differently than normal traffic = anomaly

- Standard deviations from baseline = the real alert signal

Sources

1. Trend Micro — Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia (https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html)

2. The Hacker News — China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists (https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html) — May 1, 2026

3. CyberPress — China-Backed Hackers Deploy ShadowPad Malware In Sophisticated Multi-Stage Spy Ops (https://cyberpress.org/shadowpad-spy-campaign/) — May 1, 2026

4. Citizen Lab — How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression (https://citizenlab.ca/research) — referenced for GLITTER CARP/SEQUIN CARP targeting

Lyrie.ai Cyber Research Division