What Happened
Trend Micro published a detailed analysis of a China-aligned cyber espionage campaign it tracks as SHADOW-EARTH-053, active since at least December 2024. The group targets government and defense sectors across South, East, and Southeast Asia — along with at least one European government belonging to NATO.
The campaign’s entry point is N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers. The attackers rely heavily on the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) — vulnerabilities disclosed and patched in 2021 that remain unpatched across a significant number of enterprise and government deployments globally. Once inside, SHADOW-EARTH-053 deploys GODZILLA web shells to maintain persistent access, then stages the ShadowPad backdoor through DLL sideloading of legitimate signed executables. Victims include government ministries, defense-adjacent contractors, and transportation organizations across at least eight countries. The full research is available from The Hacker News and Trend Micro.
Why This Matters for Canadian Organizations
Canada is a NATO member and a Five Eyes intelligence partner — two designations that consistently place Canadian government systems and defense contractors in the targeting profile of China-aligned threat actors. The SHADOW-EARTH-053 disclosure follows the April 2026 joint advisory AA26-113A, co-signed by the Canadian Centre for Cyber Security, warning that Chinese-nexus actors route operations through compromised edge devices to target allied governments.
The particular concern for Canadian organizations is the campaign’s reliance on long-known but still-unpatched vulnerabilities. ProxyLogon was disclosed and patched in March 2021. If your on-premises Exchange or IIS infrastructure has not been fully patched across that entire chain, SHADOW-EARTH-053 TTPs are directly applicable to your environment. Canadian federal departments, provincial governments, Crown corporations, and DND contractors using on-premises Exchange deployments should treat this disclosure as an active audit trigger — not as an overseas concern.
ShadowPad is a modular backdoor associated with multiple Chinese state-sponsored clusters and is designed for long-term access and quiet data collection. Organizations compromised by ShadowPad typically do not detect the intrusion until months after initial access.
What to Do
Verify your Exchange and IIS patch status against the ProxyLogon chain immediately. If any server in your environment is running a version released before the March 2021 patch cycle, treat it as potentially compromised and initiate a forensic review. Deploy or review your EDR coverage on Exchange servers, paying particular attention to DLL sideloading via AnyDesk or similar remote access tools. Hunt for GODZILLA web shell indicators in IIS access logs. Review outbound connections from Exchange and IIS hosts for unusual patterns to external infrastructure. Report confirmed or suspected compromise to the Canadian Centre for Cyber Security at cyber.gc.ca.
