Back to Intelligence

SHADOW-EARTH-053: China-Linked Espionage Campaign — Detection & Defense Guide

SA
Security Arsenal Team
May 1, 2026
6 min read

Cybersecurity intelligence is not just about knowing what is happening; it is about knowing what is coming for you. Trend Micro has released a critical advisory regarding a China-aligned threat cluster they have designated as SHADOW-EARTH-053. This actor is not conducting indiscriminate financially motivated operations; they are executing a precise, espionage-focused campaign targeting government and defense sectors across South, East, and Southeast Asia, with spillover into a NATO member state.

For defenders in the public sector, defense industrial base, and journalism, this is a high-fidelity signal to increase your defensive posture immediately. We are dealing with a sophisticated adversary focused on data exfiltration and long-term persistence.

Technical Analysis

Threat Actor Profile

  • Designation: SHADOW-EARTH-053
  • Attribution: China-aligned (Assessed with high confidence by Trend Micro)
  • Motivation: Espionage, Intelligence Gathering
  • Targets: Government agencies, Defense contractors, Journalists, Activists.

Infrastructure and Methods

While specific CVEs were not the primary vector highlighted in the initial disclosure, SHADOW-EARTH-053 utilizes a "living-off-the-land" (LotL) approach combined with custom web shells to blend into normal traffic.

  • Web Shell Deployment: The actor is known to compromise vulnerable internet-facing web servers (IIS/Apache) to deploy web shells. These shells act as the initial beachhead for C2 (Command and Control).
  • Credential Access: Once inside the perimeter, the group utilizes tools like Mimikatz and custom dumpers to harvest credentials for lateral movement.
  • Data Exfiltration: Data is staged locally and exfiltrated using protocols that masquerade as standard web traffic (HTTPS) to evade DLP inspection.

Exploitation Status

  • Status: Confirmed Active Exploitation (In-the-wild).
  • Risk: Critical for government entities. The risk lies not necessarily in a single unpatched zero-day, but in the abuse of misconfigurations and the theft of valid credentials, which bypasses standard authentication controls.

Detection & Response

Given the stealthy nature of SHADOW-EARTH-053, detection relies heavily on identifying anomalies in process execution and network connections rather than just simple signature matching. The following rules are designed to catch the behavioral patterns associated with this actor's TTPs (Tactics, Techniques, and Procedures).

SIGMA Rules

YAML
---
title: Suspicious Parent-Child Process Pair (Word/Excel spawning PowerShell)
id: 3d1f1f8e-5e6b-4b8a-9e1c-1a2b3c4d5e6f
status: experimental
description: Detects suspicious process execution where an Office application spawns a PowerShell instance, a common technique used in spear-phishing documents associated with SHADOW-EARTH-053.
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  filter:
    CommandLine|contains: 'C:\Program Files\'
falsepositives:
  - Legitimate macro usage for business automation (rare)
level: high
---
title: Potential Web Shell Activity via IIS Worker Process
id: 7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects suspicious command execution spawned by the IIS worker process (w3wp.exe), indicative of web shell exploitation often used by SHADOW-EARTH-053.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.persistence
  - attack.t1505.003
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\whoami.exe'
      - '\net.exe'
falsepositives:
  - Legitimate server management scripts
level: critical
---
title: Suspicious Certutil Download Usage
id: 9e0f1a2b-3c4d-5e6f-7a8b-9c0d1e2f3a4b
status: experimental
description: Detects the use of certutil to download files from the internet, a common LOLBin used for staging payloads.
references:
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\certutil.exe'
    CommandLine|contains: 'urlcache'
    CommandLine|contains: 'fetch'
falsepositives:
  - Administrative troubleshooting (rare)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for SHADOW-EARTH-053 TTPs: Suspicious PowerShell and Child Processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'w3wp.exe')
| where FileName in~ ('powershell.exe', 'cmd.exe', 'certutil.exe', 'powershell_ise.exe')
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessAccountName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes spawned by IIS w3wp.exe or Office apps that execute shell commands
SELECT Pid, Name, CommandLine, Exe, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Username, CreateTime
FROM pslist()
WHERE Parent.Name =~ "w3wp.exe" OR Parent.Name =~ "WINWORD.EXE" OR Parent.Name =~ "EXCEL.EXE"
  AND (Name =~ "cmd.exe" OR Name =~ "powershell.exe")

Remediation Script (PowerShell)

This script assists in identifying potential persistence mechanisms often left behind by espionage actors.

PowerShell
<#
.SYNOPSIS
    Audit for Suspicious Scheduled Tasks and Services.
.DESCRIPTION
    Checks for scheduled tasks or services running with suspicious binaries or in unusual paths,
    common indicators of persistence from actors like SHADOW-EARTH-053.
#>

Write-Host "[+] Initiating Persistence Audit..." -ForegroundColor Cyan

# Check for Scheduled Tasks running PowerShell with encoded commands
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Actions.Execute -like '*powershell*' -and $_.Actions.Arguments -like '*-e*' -or $_.Actions.Arguments -like '*-enc*' }

if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Found Scheduled Tasks with encoded PowerShell commands:" -ForegroundColor Red
    $suspiciousTasks | ForEach-Object { Write-Host "Task: $($_.TaskName) - Command: $($_.Actions.Execute) $($_.Actions.Arguments)" }
} else {
    Write-Host "[+] No suspicious Scheduled Tasks detected." -ForegroundColor Green
}

# Check for Services with unsigned or suspicious binaries in user directories
Write-Host "[+] Checking Service Path Integrity..."
$suspiciousServices = Get-WmiObject Win32_Service | Where-Object { 
    $_.PathName -match 'C:\Users\' -or $_.PathName -match 'C:\Temp\' -or $_.PathName -match '\\recycle\' 
}

if ($suspiciousServices) {
    Write-Host "[!] WARNING: Found Services running from user/temp directories:" -ForegroundColor Red
    $suspiciousServices | ForEach-Object { Write-Host "Service: $($_.DisplayName) - Path: $($_.PathName)" }
} else {
    Write-Host "[+] No suspicious Service paths detected." -ForegroundColor Green
}

Remediation

Immediate containment and eradication are required if SHADOW-EARTH-053 indicators are found within your environment.

  1. Isolate Affected Systems: Immediately disconnect suspected hosts from the network to prevent lateral movement. Do not shut down the system; perform a memory capture first for forensic analysis.
  2. Credential Reset: Assume all credentials on compromised systems are compromised. Force a password reset for all accounts, especially privileged ones, that have logged into those machines within the last 90 days.
  3. Web Server Hardening: Audit internet-facing web servers. Remove unnecessary extensions, disable unused ISAPI extensions (for IIS), and apply the latest security patches. Review logs for unauthorized file uploads (POST requests to upload directories).
  4. Hunt for Web Shells: Utilize tools like Microsoft's "IIS Antispy" or run a scan comparing current web content against a known-good baseline (e.g., from a git repository).
  5. Review Proxy Logs: Look for beaconing activity—consistent, rhythmic outbound HTTPS connections to domains with recent registration or high entropy domain names.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchshadow-earth-053aptespionage

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action