#shadowpad — Public Fediverse posts on home.social

OTX Bot @[email protected] · 2026-05-04 · 14:02 UTC

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

#asia #china #credentialharvesting #cybersecurity #cyberespionage #espionage

(in)sicurezza digitale @[email protected] · 2026-05-02 · 14:37 UTC

SHADOW-EARTH-053: la campagna APT cinese che spia governi asiatici, la NATO e i diplomatici cubani

Trend Micro ha smascherato SHADOW-EARTH-053, un gruppo APT allineato alla Cina attivo dal dicembre 2024 che ha colpito governi e contractor difesa in Pakistan, India, Malaysia, Taiwan e Polonia. In parallelo, un'operazione correlata ha violato le email di 68 diplomatici cubani a Washington sfruttando Exchange non patchati. Analisi tecnica di ShadowPad, Godzilla webshell, CVE-2025-55182 e delle implicazioni per i difensori.

https://insicurezzadigitale.com/shadow-earth-053-la-campagna-apt-cinese-che-spia-governi-asiatici-la-nato-e-i-diplomatici-cubani/

#apt #aptcinese #backdoor #cina #cyberwar #infosec

Daniel Kuhl ✌🏻☮️☕️ @[email protected] · 2025-12-24 · 16:24 UTC

#CheckPoint Research revealed a sophisticated wave of attacks attributed to the Chinese #threat actor #InkDragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised #IIS servers into relay nodes with #ShadowPad, exploits predictable configuration keys for access, and deploys a new #FinalDraft #backdoor for exfiltration and lateral movement.

https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

#checkpoint #threat #inkdragon #iis #shadowpad #finaldraft

Daniel Kuhl ✌🏻☮️☕️ @[email protected] · 2025-12-24 · 16:24 UTC

#CheckPoint Research revealed a sophisticated wave of attacks attributed to the Chinese #threat actor #InkDragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised #IIS servers into relay nodes with #ShadowPad, exploits predictable configuration keys for access, and deploys a new #FinalDraft #backdoor for exfiltration and lateral movement.

https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

#backdoor #finaldraft #shadowpad #iis #inkdragon #threat

Daniel Kuhl ✌🏻☮️☕️ @[email protected] · 2025-12-24 · 16:24 UTC

#CheckPoint Research revealed a sophisticated wave of attacks attributed to the Chinese #threat actor #InkDragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised #IIS servers into relay nodes with #ShadowPad, exploits predictable configuration keys for access, and deploys a new #FinalDraft #backdoor for exfiltration and lateral movement.

https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

#checkpoint #threat #inkdragon #iis #shadowpad #finaldraft

The Threat Codex @[email protected] · 2025-12-16 · 18:08 UTC

Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
#InkDragon #ShadowPad #CDBLoader #LalsDumper #FINALDRAFT
https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

#inkdragon #shadowpad #cdbloader #lalsdumper #finaldraft

TechNadu @[email protected] · 2025-11-24 · 11:17 UTC

Threat actors are actively exploiting CVE-2025-59287 in WSUS to deploy ShadowPad.

ASEC notes the attackers used PowerCat for shell access, then fetched and installed ShadowPad with certutil/curl, executing it through DLL side-loading.

How are you securing WSUS or other update infrastructure in your environment?
💬 Share your insights
⭐ Follow TechNadu for timely threat intel

#infosec #WSUS #ShadowPad #CVE2025 #malware #threatintel #sysadmin #DFIR #TechNadu

#infosec #wsus #shadowpad #cve2025 #malware #threatintel

Benjamin Carr, Ph.D. 👨🏻‍💻🧬 @[email protected] · 2025-06-10 · 12:39 UTC

Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
#SentinelOne discovered the campaign when they tried to hit the #security vendor's own servers
In their report, they describe a series of intrusions between July 2024 and March 2025 involving #ShadowPad #malware and post-exploitation espionage activity that SentinelOne has dubbed "#PurpleHaze", publicly reported as #APT15 and #UNC5174, And they're blaming #China.
https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelone/