A single China-aligned intrusion campaign maintained covert access inside government ministries, defence contractors, and critical infrastructure across eight countries for at least 17 months — making it the most geographically broad China-linked espionage operation publicly disclosed in 2026. TrendAI researchers Daniel Lunghi and Lucas Silva published their findings on 1 May 2026, attributing the activity to a cluster they designate SHADOW-EARTH-053. Note: TrendAI's primary research report is currently inaccessible via direct URL; all sourcing below draws on Industrial Cyber, The Register, and GBHackers, each of which covers the original report in detail.
What the Campaign Did
The attackers gained initial access by exploiting long-unpatched vulnerabilities in internet-facing Microsoft Exchange and IIS servers — chiefly the ProxyLogon family (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). The Register and GBHackers also identify CVE-2025-55182, a critical flaw in React Server Components permitting arbitrary code execution on vulnerable servers, as an additional initial-access vector used by the cluster. From there, attackers installed GODZILLA web shells under innocuous filenames such as error.aspx, warn.aspx, and tunnel.ashx in standard Exchange paths, giving persistent remote command access even after the initial vulnerability was later patched.
The final payload — ShadowPad, a modular backdoor with historic ties to China's Ministry of State Security contractors — arrived via DLL sideloading. Attackers abused legitimate, signed executables (including a renamed Toshiba Bluetooth binary) to load the implant, and delivered additional samples through AnyDesk. Encrypted payloads were stored in the registry and deleted after initial execution to reduce forensic traces.
Post-compromise activity, as documented across secondary coverage of TrendAI's research, included lateral movement via Windows Management Instrumentation Command-line (WMIC), credential extraction from LSASS memory using Evil-CreateDump and Mimikatz, mailbox enumeration via the Exchange Web Services API, and bulk archival of email data into password-protected RAR files for exfiltration.
Who Was Targeted
Confirmed victims — stated by TrendAI as organisations assessed to have been compromised, not independently verified by this outlet — include government agencies and defence organisations in seven Asian countries: Thailand, Malaysia, Myanmar, Pakistan, India, Sri Lanka, and Taiwan. Poland, a NATO member, was also hit, bringing the total to eight countries across two continents. Three ASEAN member states are directly represented: Thailand, Malaysia, and Myanmar.
Beyond state targets, the campaign also reached diaspora journalists and civil society activists reporting on China-related issues. TrendAI researchers assessed this as an extension of domestic security priorities, treating overseas critics as legitimate intelligence targets alongside defence ministries.
A Related Cluster Compounds the Picture
TrendAI identified a second, independently operating cluster — SHADOW-EARTH-054 — that shares tooling, initial access vectors, and victim overlap with SHADOW-EARTH-053, particularly in Malaysia, Myanmar, and Sri Lanka. The researchers assessed the two clusters are separately tasked rather than coordinated, pointing to independent exploitation of the same unpatched systems by different teams under a broadly shared China-aligned operational umbrella. This overlap with Unit 42's CL-STA-0049 and Elastic's REF7707 (also tracked as Earth Alux by TrendAI) suggests the toolset and infrastructure are shared across multiple China-linked groups.
Tom Kellermann, VP of AI security and threat research at TrendAI, described the campaign in terms that go beyond technical tradecraft: "They're following in the footsteps of the Typhoon campaigns, they look like the younger brother and sister of the Typhoon campaigns, and they're island-hopping through the defense sectors and ministries of those nations for a reason." Kellermann further flagged concern about what the groups may have pre-positioned: "What type of C2 on a sleep cycle is still lingering in these environments?"
Why Unpatched Exchange Servers Remain the Entry Point
The ProxyLogon vulnerability chain dates to March 2021. The fact that it still provides reliable initial access in 2026 across government and defence environments in multiple countries reflects a persistent patch-management failure in sectors that should, by any compliance standard, have closed these gaps years ago. The addition of CVE-2025-55182 — targeting React Server Components — shows the cluster is not standing still; it is adding newer vectors alongside legacy ones. Attackers exploiting both five-year-old CVEs and more recent application flaws in high-value government networks points to exposure that was never remediated compounded by new attack surface introduced without adequate hardening.
Defenders in affected sectors should treat any Exchange or IIS server not at current patch level as potentially compromised — not merely at risk — and prioritise GODZILLA web shell indicator-of-compromise identification before patching. Secondary coverage from Industrial Cyber and The Register includes IoC references drawn from TrendAI's research.
Defensive Posture
Organisations in ASEAN government and defence supply chains should treat this disclosure as a prompt to audit three things: patch status on Exchange and IIS (including React Server Components for any internet-facing deployments), presence of anomalous ASP.NET files in Exchange directories, and outbound connections from server infrastructure to AnyDesk endpoints not provisioned by IT. Network defenders should also review LSASS access logs and watch for RAR archiving activity on mail servers — both consistent with this campaign's exfiltration pattern.
This article is a defensive reporting summary based on TrendAI's published research as covered by secondary sources. No exploit code or operational attack detail beyond what has been publicly disclosed is reproduced here.
View author profile → · Editorial policy
