Inside SHADOW-EARTH-053: How China is Quietly Owning Asia's Defense Ministries
Trend Micro published research this week on a china-aligned APT cluster they're calling SHADOW-EARTH-053. it's been active since at least december 2024. and the target list is a who's who of governments that beijing has strategic reasons to monitor.
Who they hit
Government and defense sectors across seven countries: pakistan, thailand, malaysia, india, myanmar, sri lanka, and taiwan. plus one european NATO member: poland.
That's a wide geographic spread. but it's not random. these are countries in active diplomatic or territorial tension with china, countries that sit on critical belt-and-road infrastructure chokepoints, and countries that host US defense partnerships that beijing wants visibility into.
How they got in
The attack chain starts with exploitation of known CVEs: unpatched systems are the entry point. from there they drop godzilla web shells. if you haven't dealt with godzilla before: it's a java-based web shell with a plugin architecture that supports command execution, file management, and network tunneling. it's been used by multiple china-aligned groups and is a reliable persistence mechanism.
From the web shell foothold, they pivot to the actual payload: shadowpad, delivered via anydesk. shadowpad is a modular backdoor with a long history in china-aligned espionage operations, the successor to PlugX in several tracked groups' toolchains. by routing it through anydesk (a legitimate remote access tool), traffic blends into normal administrative activity.
The second cluster problem
Here's the interesting part. a related intrusion set, SHADOW-EARTH-054, compromised roughly half the same targets, specifically in malaysia, sri lanka, and myanmar, before SHADOW-EARTH-053 arrived. trend micro observed no direct operational coordination between the two clusters.
That's worth sitting with. two distinct china-aligned groups, independently tasked against some of the same targets, with no apparent coordination. the most likely explanation is parallel collection requirements from different PRC intelligence organs: the PLA's cyber units and the MSS have historically operated in parallel on the same targets. it could also suggest an access-broker arrangement where initial access is sold or shared across clusters, similar to the IT/OT access-broker dynamic dragos documented in the OT sector.
Either way: if you were compromised by SHADOW-EARTH-054, you may also have SHADOW-EARTH-053 in the same environment, and vice versa.
What you can do about it
Patch your internet-facing systems. seriously. the initial access vector is known CVEs on unpatched hosts. that's table stakes. beyond that:
- Look for anydesk processes spawned by web server processes or uncommon parent processes
- Audit for godzilla web shell artifacts on your web servers (java-based, often drops as a .jsp or .jspx file in web-accessible directories)
- Correlate anydesk traffic against your asset inventory; anydesk connections that don't originate from known administrator machines are a red flag
- Check for shadowpad indicators of compromise in your EDR telemetry; most modern endpoint tools have signatures
For organizations in the affected geographies, especially government, defense, telco, and energy, this is a priority threat hunt item. passive detection isn't enough for a group that's been in your network since december 2024.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge, cybersecurity intelligence from Georgia.