You are currently viewing ShadowPad Rising: SHADOW-EARTH-053 Hits Exchange Servers

ShadowPad Rising: SHADOW-EARTH-053 Hits Exchange Servers

  • Post author:
  • Reading time:6 mins read

Executive Summary

A cyber espionage campaign attributed to the China-linked threat cluster SHADOW-EARTH-053 has been observed targeting government, defense, telecommunications, and transportation organizations across South, East, and Southeast Asia, as well as a European NATO member state. The attackers exploit known vulnerabilities in internet-facing Microsoft Exchange servers, including CVE-2021-26855, to gain initial access and deploy web shells for persistence. Post-exploitation activity involves credential dumping, tunneling tools, and lateral movement frameworks to deploy the ShadowPad backdoor. In limited observed instances, Noodle RAT was also identified, with low-confidence association to activity involving CVE-2025-55182. The campaign demonstrates continued access to compromised environments and post-exploitation activity across enterprise networks.

Background on SHADOW-EARTH-053

SHADOW-EARTH-053 is a China-aligned threat cluster tracked by Trend Micro. The group has been active since at least late 2024 and has targeted organizations across multiple sectors, including government, defense, telecommunications, and transportation.

Trend Micro identified overlaps between SHADOW-EARTH-053 and other tracked clusters such as CL-STA-0049, Earth Alux, and REF7707, suggesting shared infrastructure or tooling.

The campaign focuses on compromising enterprise infrastructure to enable persistent access and post-exploitation activity.

Vulnerability Details

Primary Exploited Vulnerability

CVE-ID: CVE-2021-26855
CVSS Score: 9.1
EPSS Score: 94.35%
Vulnerability Type: Server-Side Request Forgery (SSRF)
Affected Software: Microsoft Exchange Server 2013, 2016, and 2019
Patched in: Microsoft CUs were released to patch this flaw

CVE-2021-26855 is a server-side request forgery vulnerability in Microsoft Exchange Server that allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server. This vulnerability was actively exploited by SHADOW-EARTH-053 as part of the ProxyLogon attack chain to gain initial access.

Additional Observed Vulnerability

CVE-ID: CVE-2025-55182
CVSS Score: 10.0
EPSS Score: 82.01%
Vulnerability Type: Remote Code Execution
Affected Software: React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
Patched in: React Server Components 19.0.1, 19.1.2, and 19.2.1

CVE-2025-55182 (React2Shell) is a remote code execution vulnerability. Trend Micro reported a low-confidence association between activity involving this vulnerability and the presence of Noodle RAT in certain environments. Its role in the SHADOW-EARTH-053 intrusion chain is not confirmed.

Infection Method

The SHADOW-EARTH-053 campaign follows this chain:

Initial Access:
Attackers exploit known vulnerabilities in Microsoft Exchange servers, including CVE-2021-26855.

Web Shell Deployment:
Following exploitation, attackers deploy the GODZILLA web shell to maintain access.

The following web shell filenames were observed:

  • error.aspx, errorFE.aspx, signout.aspx, warn.aspx, data.aspx, page.aspx, TimeinLogout.aspx, timeout.aspx, charcode.aspx, tunnel.ashx, i.aspx, 2.aspx

These web shells were commonly deployed in:

  • \inetpub\wwwroot\aspnet_client\system_web
  • \Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Credential Access:
Mimikatz was executed via rundll32.exe with commands including sekurlsa::logonpasswords and lsadump::sam, which were launched by the IIS worker process (w3wp.exe), confirming execution via web shell.

Establishing Covert Channels:
The tunneling tools IOX, GOST and Wstunnel are deployed for communication.

Lateral Movement:
Attackers move across systems using Custom RDP launcher and Sharp-SMBExec. The threat actor propagated web shells across internal Exchange servers using administrative shares, for example:

copy charcode.aspx \[IP]\c$\inetpub\wwwroot\aspnet_client\system_web\

Malware Deployment:
ShadowPad is deployed using DLL side-loading techniques involving legitimate signed executables, where a malicious DLL such as TosBtKbd.dll is loaded to execute the payload. The payload is packed using techniques such as RingQ packing, allowing it to evade detection and execute within memory.

In limited observed cases, Noodle RAT (a Linux backdoor) was identified, with low-confidence association to activity involving CVE-2025-55182.

Persistence:
Persistence is maintained through web shells, backdoors, and continued access to compromised systems. The ShadowPad loader (TosBtKbd.dll) retrieves its payload from the Windows Registry:

HKEY_CURRENT_USER\Software[ComputerName]

The payload is stored under a value named scode. Persistence is established via a scheduled task named M1onltor, configured to execute every five minutes with elevated privileges.

Malware Behavior and Capabilities

SHADOW-EARTH-053 employs multiple tools and malware families:

ShadowPad
A modular backdoor providing:

  • Remote command execution
  • Plugin-based extensibility
  • Persistent access to compromised systems

Noodle RAT
A Linux-based remote access trojan observed in limited instances, enabling remote command execution and control.

GODZILLA Web Shell
Used for:

  • Persistent access
  • Command execution on compromised Exchange servers

Supporting Tools:

  • Mimikatz – Credential dumping
  • IOX / GOST / Wstunnel – Tunneling and proxying
  • Sharp-SMBExec – Lateral movement via SMB
  • Custom RDP launcher – Remote access

These tools support credential access, lateral movement, and continued control of compromised environments.

Techniques Include (MITRE ATT&CK Mapping)

T1190 – Exploit Public-Facing Application
Exploitation of Microsoft Exchange vulnerabilities such as CVE-2021-26855.

T1505.003 – Server Software Component: Web Shell
Deployment of the GODZILLA web shell.

T1003 – OS Credential Dumping
Use of Mimikatz to extract credentials.

T1105 – Ingress Tool Transfer
Deployment of ShadowPad and supporting tools.

T1021 – Remote Services
Lateral movement via RDP and SMB-based tools.

T1090 – Proxy
Use of IOX, GOST, and Wstunnel for tunneling.

T1574.002 – Hijack Execution Flow: DLL Side-Loading
Execution of ShadowPad using DLL side-loading.

T1071 – Application Layer Protocol
Command-and-control communication over standard protocols.

Visual: SHADOW-EARTH-053 Attack Flow

[Exploit Exchange Vulnerability (CVE-2021-26855)]
-> [Deploy GODZILLA Web Shell]
-> [Credential Dumping via Mimikatz]
-> [Establish Tunnels via IOX/GOST/Wstunnel]
-> [Lateral Movement via RDP & SMBExec]
-> [Deploy ShadowPad via DLL Side-loading]
-> [Optional Noodle RAT Presence (Low Confidence)]
-> [Persistent Access and Post-Exploitation Activity]

This flow demonstrates how SHADOW-EARTH-053 gains access through Exchange vulnerabilities, deploys web shells, and conducts post-exploitation activity using backdoors and tunneling tools.

IOCs (Indicators of Compromise)

File Hashes

ShadowPad Loader Components:

  • graphics-hook-filter32.dll
  • imjp14k.dll
  • uxtheme.dll
  • MPS.dll

Key Malware / Tooling Hashes:

  • mdync.exe -> SHA-256: 3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97
  • TosBtKbd.dll -> SHA-256: e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020
  • DomainMachines.exe -> SHA-256: 165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9
  • ExchangeExport.exe -> SHA-256: d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902

Domains

Command-and-Control Domains:

  • time[.]microsofttrends[.]com
  • erp[.]kaspersky[.]icu
  • check[.]office365-update[.]com

Infrastructure / Masquerading Domains:

  • dns[.]dnsmap[.]icu
  • cert[.]kaspersky[.]icu
  • update[.]kaspersky[.]icu
  • nslookup[.]dnserver[.]life
  • microsi0ft[.]com

IP Addresses

SHADOW-EARTH-053 Infrastructure:

  • 141[.]164[.]46[.]77
  • 96[.]9[.]125[.]227
  • 194[.]38[.]11[.]3

Related Activity (SHADOW-EARTH-054):

  • 209[.]141[.]40[.]254
  • 45[.]61[.]62[.]172

URLs

  • hxxp://209[.]141[.]40[.]254:8443/update

Key Files and Artifacts

  • TosBtKbd.dll (registry loader)
  • mdync.exe (backdoor)
  • DomainMachines.exe (discovery tool)
  • data.aspx (web shell)

Behavioral Indicators

  • Web shell deployment in Exchange directories
  • DLL side-loading using signed binaries
  • Registry-stored payload execution
  • Scheduled task persistence (M1onltor)
  • LSASS memory dumping
  • Use of tunneling/proxy tools for C2

The threat actor renamed legitimate system binaries to evade detection, like net.exe -> C:\ProgramData\$[RANDOM].log
PowerShell binaries -> randomized .log filenames such as:

  • $D5PLAA1.log
  • $9XF5WLD.log
  • $C06KCQ2.log

Mitigation Steps

Patch Systems:
Apply security updates for Microsoft Exchange servers addressing CVE-2021-26855.

Monitor for Web Shells:
Inspect systems for unauthorized web shells such as GODZILLA.

Credential Protection:
Monitor for suspicious credential access and potential use of credential dumping tools.

Network Monitoring:
Detect abnormal tunneling activity involving IOX, GOST, or Wstunnel.

Threat Hunting:
Search for indicators associated with ShadowPad, Noodle RAT, and related tooling.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.