2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

📃Title: Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
📅Date: 2026-04-30
🔗References:

• https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer= Trend-Micro
• country=“china”
• malpedia=“ShadowPad”
• target-information=“India”
• target-information=“Malaysia”
• target-information=“Myanmar”
• target-information=“Pakistan”
• target-information=“Sri Lanka”
• target-information=“Taiwan”
• target-information=“Thailand”
• malpedia=“iox”
• malpedia=“Vshell”
• malpedia=“Nood RAT”
• mitre-attack-pattern=[]

MISP event uuid: 327326e7-354a-45ba-b25e-363984f01010

Indicator of Compromise (IoCs)

type,value,comment
md5, efcb90de13a82c10a34e900ab91942c1, 'ShadowPad loader — graphics-hook-filter32.dll'
md5, 48370247d5c3c01474f19e172112710a, 'ShadowPad loader — imjp14k.dll'
md5, e5b0fd04b03d92d4dfb8e50b9b9b3068, 'ShadowPad loader — imjp14k.dll'
md5, 9daba43a4c2495f596555653c6fe88d2, 'ShadowPad loader — imjp14k.dll'
md5, 4b7a47b639a2aca7818d111ee7f23b3e, 'ShadowPad loader — uxtheme.dll'
md5, c4144edb268001595700b5f27d7d7422, 'ShadowPad loader — MPS.dll'
md5, be328739e97303b2e72fe36feae358d5, 'IOX Proxy'
md5, 531da3715b1e4fc9baeaa034888ac419, 'EVILCREATEDUMP'
md5, a85459a1ec90a52b5c1f2f5a12bb2d10, 'SHADOW-EARTH-053 loader — found by infrastructure pivoting'
md5, 29015d3fa89c75ee576b14849133d6d9, 'TosBtKbd.dll Custom Registry Loader'
md5, 2616e7ec2d6c4b86a7fa1f4a762ae918, 'RingQ.exe'
md5, 7b2590be24290eb4b51bed2af1744b04, 'SHADOW-EARTH-054 loader'
md5, 0933fbd16c7a8b70199f5612e147a22c, 'GOST tunnel (gost.exe)'
md5, fc751b0416d4dc320eb175cea5a9e4dd, 'Wstunnel (wt.exe)'
sha256, f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 2dc1ad07b7529af3ba5c11a58519681909971a81, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 3229ba46dd54802093c81e6e2123fd1520faf960, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 128f3ad395f86be6569ef2a957d42902a910de6c, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 9a83466f6c34e588ba3e99d6cbfac0102e173cdd, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 9244cd99a27a8741a78e0b449cea063fdcfb0090, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 8a5ac2682d70eacff7eb554e242227c82e2baa94, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 579bc9a640ac939b1f75eda852815f063cebd332, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha1, ec38a56f9368eac67106a4ad61538e12053f03d1, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51, 'ShadowPad loader — uxtheme.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 35cc0b684b0906aed9d672a1a8635510fe91aa67, 'ShadowPad loader — uxtheme.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97, 'SHADOW-EARTH-053 — Mdync.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16, 'Possible RDP Launcher No sample in VT\r\nLast check:03/05/2026'
sha256, 8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e, 'Privileged Process Launcher No sample in VT\r\nLast check:03/05/2026'
sha256, 03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116, 'data.aspx webshell No sample in VT\r\nLast check:03/05/2026'
sha256, d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902, 'ExchangeExport.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403, 'Newdcsync.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd, 'SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026'
sha1, b8d586d376b342b08b3dd8a77c788480e025ad12, 'SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026'
sha256, 165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9, 'DomainMachines.exe — Custom discovery tool No sample in VT\r\nLast check:03/05/2026'
sha256, 1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2, 'IOX (code.exe) No sample in VT\r\nLast check:03/05/2026'
sha256, 4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27, 'Unknown proxy (code.exe / tunnel-core.exe) No sample in VT\r\nLast check:03/05/2026'
hostname, time.microsofttrends.com, 'ShadowPad C&C — TrendAI telemetry'
hostname, erp.kaspersky.icu, 'ShadowPad C&C — TrendAI telemetry'
hostname, dns.dnsmap.icu, 'Infrastructure'
hostname, cert.kaspersky.icu, 'Infrastructure'
hostname, news.kaspersky.icu, 'Infrastructure'
hostname, ns1.kaspersky.icu, 'Infrastructure'
hostname, ns2.kaspersky.icu, 'Infrastructure'
hostname, www.kaspersky.icu, 'Infrastructure'
hostname, dns.dnserver.life, 'Infrastructure'
hostname, nslookup.dnserver.life, 'Infrastructure'
hostname, router.dnserver.life, 'Infrastructure'
hostname, ww12.dnserver.life, 'Infrastructure'
hostname, ns1.group-ib.icu, 'Infrastructure'
hostname, ns2.group-ib.icu, 'Infrastructure'
hostname, www.group-ib.icu, 'Infrastructure'
hostname, check.dnsmaps.com, 'Infrastructure'
hostname, update.kaspersky.icu, 'Infrastructure Hunting — Malware Hosting'
hostname, check.office365-update.com, 'NOODLERAT C&C'
domain, zimbra-beta.info, 'SHADOW-EARTH-054 C&C'
domain, zimbra.life, 'SHADOW-EARTH-054 C&C'
domain, microsi0ft.com, 'SHADOW-EARTH-054 C&C'
ip-dst, 141.164.46.77, 'SHADOW-EARTH-053 C&C'
ip-dst, 96.9.125.227, 'SHADOW-EARTH-053 C&C'
ip-dst, 194.38.11.3, 'SHADOW-EARTH-053 Malware Hosting — TrendAI telemetry'
ip-dst, 209.141.40.254, 'SHADOW-EARTH-054 VShell C&C'
ip-dst, 45.61.62.172, 'SHADOW-EARTH-054 IOX Proxy'
url, http://209.141.40.254:8443/update, 'SHADOW-EARTH-054 VShell C&C'

Full IOCs available in Rectifyq’s MISP