China-aligned hackers SHADOW-EARTH-053 have compromised the governments of eight countries including Pakistan, India, Malaysia Myanmar and a NATO member using a ShadowPad backdoor. Trend Micros explosive research reveals the depths of this silent war.
The Silent Attack Hidden and Persistent
If you thought Chinas cyber program only targets the US a Trend Micro report dated April 30, 2026 will change that thinking forever. Cybersecurity researchers Daniel Lunghi and Lucas Silva uncovered an operation thats been going on since December 2024 involving Pakistan, India, Thailand, Malaysia Myanmar, Sri Lanka, Taiwan and a European NATO member all within a China aligned hacker group. In their networks. On their email servers. In their government databases. For months. And no one knew a thing.
Trend Micro has named this operation SHADOW-EARTH-053 a China-aligned threat cluster that has been active since December 2024 and is targeting government entities and critical infrastructure in South, East, and Southeast Asia with a European NATO government also under attack.
What sets this operation apart from other Chinese hacking is that they did not use a zero-day or display superhuman skills. Quite the opposite they used the ProxyLogon vulnerability chain CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 which are well-known flaws in Microsoft Exchange and patches for them have been available for years. But thousands of organizations around the world still run unpatched Exchange servers and that makes them easy targets.
This operation is a painful reminder that the most successful state-sponsored hacks donot happen through high-tech magic they exploit organizations laziness and carelessness. Old vulnerabilities unpatched servers, and a patient attacker who can linger for months thats China real cyber weapon.
After initial access SHADOW-EARTH-053 deploys GODZILLA web shells that maintain persistent remote access and command execution. This is how the ShadowPad backdoor is delivered via AnyDesk. Its important to understand ShadowPad. This is not a simple RAT its a modular malware family first used by APT41 in the NetSaring software supply chain attack in 2017and has been shared among multiple Chinese APT groups since 2019.
Its plugins include keylogging screenshot capture, file retrieval, and network tunneling the encrypted payload is decoded only in memory and leaving nothing detectable on disk. The method of loading ShadowPad in this campaign was particularly clever the attackers used a DLL sideloading technique placing a malicious DLL alongside a legitimate signed executable.
The abused executables included tools from Toshiba, Samsung, and Microsoft renamed to blend into normal system activity. And the ShadowPad payload was not stored in a DLL the loader retrieved it in encrypted form from the machine specific registry key HKEY_CURRENT_USER\Software. To maintain persistence a scheduled task M1onloader was created that ran every 5 minutes with the highest available privileges. Imagine there a task in Windows Task Scheduler that checks itself every five minutes, with highest admin privileges running a legitimate tool from Toshiba and no alert no red flag and no detection.
Another shocking detail in the campaign nearly half the targets had already been compromised by SHADOW-EARTH-054 a related cluster that uses similar tool hashes and overlapping tactics. In Malaysia, Sri Lanka and Myanmar particularly both clusters targeted the same organizations SHADOW-EARTH-054 came first ShadowPad was deployed later.
This pattern suggests either that the two groups are sharing information, or that an access broker model is in place, in which one group creates initial access breaches and the other exploits them. Trend Micro describes this Premier Pass model in its collaborative tactics research in which Chinese APT groups sell or share compromised network access with each other and effectively creating an underground access marketplace. This model explains why some APT groups have seemingly gone dark they may not have shut down but are operating via shared infrastructure.
ShadowPad, NATO Journalists & Activists A Global Silent Cyber War
At the same time that SHADOW-EARTH-053 was hacking governments in Asia, a separate China-linked group, TA416 also known as Mustang Panda had been targeting EU and NATO diplomatic missions in Europe since mid-2025 deploying the PlugX backdoor via DLL sideloading.
TA416 repeatedly changed its infection chain abusing Cloudflare Turnstile challenge pages, Microsoft Entra ID OAuth redirects and using C# project files but the goal was the same to load PlugX into memory. And another dimension is running parallel to all of this CCP-linked hackers are targeting journalists and dissidents globally.
Joint research by ICIJ and Citizen Lab confirmed that attackers impersonating journalists are targeting ICIJ-affiliated reportersTaiwanese political figures Uyghur activists Tibetan communities and Hong Kong dissidents via email LINE messaging, and cloned websites. Paris-based activist Jiang Shengda reported receiving two to four phishing emails daily after the ICIJs China Targets report was published. This is coordinated suppression an extension of physical intimidation through digital tools.
In 2026, Chinese state-sponsored hackers are hiding inside the networks they breached years ago and most of the victims are still unknown. Salt Typhoon which was behind the 2024 US telecom hack is still active on US networks. In February 2026 a separate China-linked campaign hit more than 50 telecoms and government agencies in 42 countries while hiding inside Google Sheets.
Singapore disclosed that a China-linked group breached all four of its major telecom providers. This is not ransomware that encrypts systems and makes noise. This APT is an Advanced Persistent Threat that lurks for literally years remaining quiet patient and continuously exfiltrating data. By the time its detected the damage is already maximum.
SHADOW-EARTH-053s defense evasion techniques are also next-level using the RingQ packer domain names that mimic security products or DNS themes renaming net.exe and PowerShell tools to randomized log filenames and using Linux Noodlerat samples controlled by Office365-themed domains this is an experimentation with cross-platform espionage tooling.
Any organization that uses Microsoft Exchange or IIS especially in Asia and the Allied States, is a potential victim. Audit patch levels enable web shell detection and monitor outbound traffic from Exchange servers. If you have not applied the 2021 patches yet do so after reading this article because SHADOW-EARTH-053 proved that unpatched servers are still low hanging fruit in 2026 and it does not take a genius to reach them.
