1 malware familyExploits CVEs in the wild

Shadow-Earth-054

Also known asshadow_earth_054

SHADOW-EARTH-054 is a related China-aligned intrusion cluster observed in connection with SHADOW-EARTH-053. Reporting describes substantial overlap in victimology, tooling, infrastructure, and tradecraft between the two clusters. SHADOW-EARTH-054 exploited the same vulnerable internet-facing Microsoft Exchange and IIS entry points, including the ProxyLogon chain, and in multiple cases compromised organizations months before ShadowPad deployment associated with SHADOW-EARTH-053. The cluster shared identical tool hashes and overlapping TTPs with SHADOW-EARTH-053, including web-shell-based persistence on vulnerable IIS or Exchange servers; identical hashes were specifically noted for tools such as Evil-CreateDump and IOX Proxy. In three recent cases, a malicious loader family was attributed to SHADOW-EARTH-054. Nearly half of the observed SHADOW-EARTH-053 victims were also compromised by SHADOW-EARTH-054, particularly in Malaysia, Sri Lanka, and Myanmar. Content also notes network overlaps between SHADOW-EARTH-054 and activity tracked by other vendors as CL-STA-0049, REF7707, and Earth Alux. Although the overlap suggests aligned Chinese intelligence priorities and a shared operational ecosystem among China-aligned espionage actors, the reporting explicitly states that no evidence of direct operational coordination between SHADOW-EARTH-054 and SHADOW-EARTH-053 was observed. No aliases beyond SHADOW-EARTH-054 / Shadow-Earth-054 are directly provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics7 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190×4

Exploit Public-Facing Application

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003×2

Web Shell

TA0006

Credential Access

1 technique

T1003×2

OS Credential Dumping

T1003.001

LSASS Memory

TA0011

Command and Control

1 technique

T1090

Proxy

T1090.003

Multi-hop Proxy

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

IOXObserved tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.1May 15, 2026

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence2

The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite. Salt Typhoon and other Chinese government snoops also abused ProxyLogon to breach critical US networks back in 2021, when it was first disclosed, and it's remained a top-exploited vulnerability ever since.

CVE-2021-26857Microsoft Exchange Unified Messaging insecure deserialization RCEIn the wildEvidence2

CVE-2021-26858Microsoft Exchange Server post-auth arbitrary file write (ProxyLogon)In the wildEvidence2

CVE-2021-27065ProxyLogon post-auth arbitrary file write in Microsoft Exchange ServerIn the wildEvidence2

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

polyswarmNews

May 15, 2026

SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments

Related China-aligned intrusion cluster overlapping with SHADOW-EARTH-053 in victimology, initial access, web shell deployment, IOX Proxy usage, Evil-CreateDump hashes, geography, and infrastructure; assessed as independently exploiting similar exposed environments rather than directly coordinating.

cyber security newsNews

May 5, 2026

China-Aligned SHADOW-EARTH-053 Exploits Exchange Servers to Deploy ShadowPad Malware

A related intrusion set overlapping with SHADOW-EARTH-053, with activity often preceding ShadowPad deployment and sharing identical tool hashes and overlapping TTPs.

the hacker newsNews

May 1, 2026

China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

Related intrusion set observed compromising some of the same targets as SHADOW-EARTH-053, especially in Malaysia, Sri Lanka, and Myanmar.

cyber security newsNews

May 1, 2026

China-Aligned Attackers Use ShadowPad, IOX Proxy, and WMIC in Multi-Stage Espionage Campaign

Related China-aligned activity cluster overlapping with SHADOW-EARTH-053, sharing identical tool hashes and attack methods in intrusions against the same victim organizations.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.