• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

Shadow Earth 053 Exploits Exchange Servers

May 6, 2026

Meta Description

Shadow Earth 053 is exploiting unpatched Exchange and IIS servers to deploy ShadowPad, web shells, and stealthy espionage tools.

Introduction

Microsoft Exchange Server remains one of the most attractive targets in enterprise cybersecurity.

It holds email, authentication paths, internal communications, organizational metadata, mailbox access, and sometimes sensitive business or government records. When an Exchange server is exposed to the internet and left unpatched, it becomes more than an email server.

It becomes an entry point.

That is exactly what researchers observed in the SHADOW-EARTH-053 campaign.

SHADOW-EARTH-053 is a newly tracked China-aligned intrusion set conducting cyberespionage against government entities, critical infrastructure, defense-linked organizations, technology firms, transportation targets, and at least one NATO member state.

The campaign is especially concerning because it relies on old but still effective vulnerabilities.

The attackers are exploiting known Microsoft Exchange and IIS weaknesses, including the ProxyLogon vulnerability chain:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

These flaws have been known and patched for years.

Yet they continue to work against organizations that run legacy, exposed, or poorly maintained Exchange infrastructure.

That is the uncomfortable lesson.

Attackers do not always need new vulnerabilities.

Sometimes, they only need organizations to leave old ones unfixed.

What Happened

Researchers identified a China-aligned cyberespionage campaign tracked under the temporary designation SHADOW-EARTH-053.

The group has reportedly been active since at least December 2024 and has targeted organizations across at least eight countries. Most observed targeting focused on South, East, and Southeast Asia, with additional activity against a European government belonging to NATO.

The campaign primarily targets:

  • Government entities
  • Critical infrastructure organizations
  • Defense-linked organizations
  • IT consulting firms serving government clients
  • Technology companies
  • Transportation sector entities

The attackers gain initial access by exploiting N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers.

N-day vulnerabilities are not unknown zero-days. They are known flaws that already have patches available. The problem is that many organizations remain exposed because systems are outdated, unsupported, misconfigured, or not fully patched.

In this campaign, the attackers specifically used the ProxyLogon chain affecting Microsoft Exchange Server.

After compromising the server, the attackers deploy web shells such as GODZILLA. These web shells provide persistent command execution and allow the attackers to maintain access to the compromised environment.

From there, SHADOW-EARTH-053 deploys ShadowPad, a modular backdoor associated with multiple China-aligned threat groups.

The attackers also use a mix of post-exploitation tools and living-off-the-land techniques, including:

  • IOX Proxy
  • WMIC
  • Mimikatz
  • Evil-CreateDump
  • PowerView
  • csvde.exe
  • DomainMachines.exe
  • GOST
  • Wstunnel
  • Scheduled task persistence
  • DLL sideloading through legitimate signed executables

This combination gives the attackers stealth, persistence, credential access, lateral movement capability, and covert communication channels.

Why This Issue Is Critical

This issue is critical because it shows how old Exchange vulnerabilities remain useful to advanced threat actors.

The ProxyLogon chain was heavily discussed in 2021. Many organizations patched quickly. Others did not.

The result is a long tail of exposure.

Internet-facing Exchange servers remain valuable because they often sit close to identity systems, email infrastructure, Active Directory, internal routing, and sensitive communications.

Once compromised, attackers can use them to:

  • Deploy persistent web shells
  • Access mailbox data
  • Enumerate users and groups
  • Harvest credentials
  • Discover internal servers
  • Move laterally
  • Stage malware
  • Maintain covert access
  • Exfiltrate sensitive data
  • Support long-term espionage

This campaign is not financially motivated ransomware activity based on the reporting.

It is assessed as cyberespionage and possible intellectual property theft.

That changes the risk profile.

Ransomware attackers often make noise quickly.

Espionage actors may remain quiet for months.

They want persistence, intelligence, and long-term access.

That makes detection harder and the damage more difficult to measure.

What Caused the Issue

The campaign was enabled by a combination of unpatched Exchange and IIS servers, exposed internet-facing services, weak detection coverage, and poor post-compromise validation.

Several root causes stand out.

Unpatched Exchange Servers

The attackers exploited known Microsoft Exchange vulnerabilities, including the ProxyLogon chain.

These vulnerabilities have long had available patches, but they remain effective in environments that have not fully remediated them.

Internet-Facing IIS and Exchange Exposure

Public-facing servers are high-value targets.

If they run outdated software or expose vulnerable paths, attackers can establish initial access remotely.

Legacy Infrastructure

Older Exchange deployments may be difficult to patch because of compatibility concerns, lack of ownership, business dependency, or poor asset inventory.

That makes them attractive targets.

Web Shell Persistence

After exploitation, attackers deploy web shells in Exchange and IIS directories.

These files may blend into normal web paths and allow continued command execution.

Insufficient File Integrity Monitoring

Organizations may not detect newly created .aspx, .ashx, or similar web shell files in sensitive directories.

Weak Post-Exploitation Detection

Attackers used IIS worker processes, WMIC, PowerView, Mimikatz, and other tools for reconnaissance and credential access.

If defenders are not monitoring process behavior, they may miss the intrusion.

Patch-Only Thinking

Patching is essential, but if a server was exploited before patching, attackers may already have web shells or backdoors installed.

That means organizations must investigate, not just update.

How the Attack Chain Works

The SHADOW-EARTH-053 campaign follows a multi-stage espionage attack chain.

Initial Reconnaissance

The attackers identify internet-facing Microsoft Exchange or IIS servers.

They likely prioritize government, critical infrastructure, defense-linked, technology, and strategic organizations.

Exchange Exploitation

The attackers exploit known Exchange vulnerabilities, including the ProxyLogon chain.

This allows them to gain access to the server environment.

Web Shell Deployment

After access, the attackers install web shells such as GODZILLA.

Common web shell names observed in reporting include:

  • error.aspx
  • errorFE.aspx
  • signout.aspx
  • warn.aspx
  • data.aspx
  • page.aspx
  • TimeinLogout.aspx
  • timeout.aspx
  • charcode.aspx
  • tunnel.ashx
  • i.aspx
  • 2.aspx

These files may be placed in Exchange or IIS-related directories to blend into web infrastructure.

Command Execution

The web shell allows the attackers to run commands from the compromised server.

IIS worker processes such as w3wp.exe may spawn reconnaissance tools, command shells, or credential-related utilities.

Discovery and Enumeration

The attackers enumerate Active Directory, Exchange infrastructure, domain controllers, mailboxes, users, and internal servers.

Observed discovery tools and commands include:

  • nltest
  • nslookup
  • csvde.exe
  • PowerView
  • DomainMachines.exe
  • LDAP enumeration
  • Exchange PowerShell snap-ins

Credential Harvesting

The attackers use tools such as Mimikatz and Evil-CreateDump to extract credentials and account data.

Credential access helps them expand from the initial server into the broader environment.

ShadowPad Deployment

The group stages ShadowPad through DLL sideloading.

They use legitimate signed executables and malicious DLLs. The legitimate file loads the attacker-controlled DLL, which then loads the encrypted ShadowPad payload.

Registry-Based Payload Storage

In some cases, the ShadowPad payload is stored in a machine-specific registry location rather than embedded directly in the loader.

This helps reduce static detection and makes forensic analysis more difficult.

Scheduled Task Persistence

Persistence is maintained through scheduled tasks.

One reported scheduled task name is M1onltor, configured to run the sideloaded binary repeatedly.

Lateral Movement

The attackers use WMIC and other tools to move laterally and deploy backdoors on additional hosts.

Covert Communication

Tools such as IOX Proxy, GOST, and Wstunnel help tunnel traffic and create covert communication paths over SOCKS5 or HTTPS.

Long-Term Espionage

The final objective appears to be intelligence collection, sensitive data access, and potentially intellectual property theft.

Why This Incident Matters for Cybersecurity

This incident matters because it demonstrates the continuing value of old vulnerabilities in state-aligned espionage campaigns.

Security teams often focus heavily on the newest CVEs.

That focus is understandable.

New vulnerabilities receive headlines, emergency advisories, and urgent patching activity.

But attackers do not abandon older vulnerabilities just because patches exist.

If exposed systems remain unpatched, older bugs remain valuable.

ProxyLogon is a clear example.

Years after disclosure, the chain still provides access in vulnerable environments.

That means organizations must think beyond patch announcements and ask:

Are we actually patched everywhere?

Are exposed systems still running old builds?

Were servers compromised before patching?

Are web shells still present?

Did attackers establish persistence?

Were credentials already stolen?

This campaign also matters because it targets strategic sectors.

Government and critical infrastructure environments often hold sensitive information, policy data, defense-related material, procurement records, diplomatic communications, and operational details.

Espionage actors do not need to encrypt data to cause harm.

Reading quietly may be enough.

Common Risks Highlighted by the Incident

SHADOW-EARTH-053 highlights several major cybersecurity risks.

Unpatched Exchange Risk

Known Exchange vulnerabilities remain actively exploited when servers are exposed and unpatched.

Web Shell Persistence

Attackers can maintain access through small web shell files hidden in normal-looking directories.

ShadowPad Deployment

ShadowPad is a modular backdoor associated with long-term access and China-aligned threat activity.

DLL Sideloading

Legitimate signed executables can be abused to load malicious DLLs and avoid suspicion.

Credential Theft

Tools such as Mimikatz and Evil-CreateDump can expose passwords, hashes, and authentication material.

Living-Off-the-Land Abuse

WMIC, csvde.exe, PowerShell, and legitimate Windows tools can support attacker activity while blending into normal system behavior.

IIS Worker Process Abuse

Processes such as w3wp.exe spawning suspicious tools can indicate web shell activity.

Covert Proxying

IOX Proxy, GOST, and Wstunnel can help attackers maintain hidden communications.

Patch-Without-Investigation Risk

Patching closes the original vulnerability but may not remove web shells, stolen credentials, or deployed backdoors.

Potential Impact on Organizations

The potential impact of SHADOW-EARTH-053 activity can be severe.

Organizations may face:

  • Exchange server compromise
  • Mailbox access
  • Credential theft
  • Active Directory enumeration
  • Web shell persistence
  • ShadowPad deployment
  • Lateral movement
  • Long-term espionage
  • Intellectual property theft
  • Sensitive government data exposure
  • Critical infrastructure intelligence collection
  • Defense-related data compromise
  • Internal server mapping
  • Persistent remote access
  • Loss of trust in email infrastructure
  • Regulatory and legal consequences
  • Major incident response costs

The impact is especially serious for government, defense, critical infrastructure, and technology organizations.

A compromised Exchange server can expose communication patterns, internal discussions, attachments, contact lists, privileged users, and authentication paths.

That makes Exchange compromise a high-priority incident.

It should not be treated as a routine vulnerability finding.

What Organisations Should Do Now

Organizations running Microsoft Exchange or IIS should take immediate action.

Recommended actions include:

  • Identify all internet-facing Exchange and IIS servers
  • Confirm whether ProxyLogon-related CVEs are fully patched
  • Verify patch levels for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
  • Review historical exposure, not only current patch status
  • Search for web shells in Exchange and IIS directories
  • Look for suspicious .aspx, .ashx, and .jsp files
  • Review IIS logs for exploitation patterns
  • Review w3wp.exe process activity
  • Hunt for GODZILLA web shell indicators
  • Hunt for ShadowPad indicators
  • Review scheduled tasks for suspicious names such as M1onltor
  • Search for IOX Proxy, GOST, Wstunnel, and similar tunneling tools
  • Review WMIC lateral movement activity
  • Hunt for Mimikatz and Evil-CreateDump usage
  • Review Active Directory reconnaissance activity
  • Rotate credentials that may have been exposed
  • Rebuild compromised Exchange servers where necessary
  • Segment Exchange infrastructure from sensitive internal systems
  • Enable file integrity monitoring on web directories
  • Conduct a full incident response review if compromise is suspected

Organizations should also remember one important rule:

If an internet-facing Exchange server was vulnerable, assume compromise is possible until logs, files, and endpoint evidence prove otherwise.

Detection and Monitoring Strategies

Detection should focus on Exchange exploitation, web shell activity, suspicious process trees, credential access, lateral movement, and covert communication.

Security teams should monitor for:

  • New .aspx files in Exchange directories
  • New .ashx files in IIS directories
  • Web shell names such as error.aspx, signout.aspx, warn.aspx, or tunnel.ashx
  • w3wp.exe spawning cmd.exe
  • w3wp.exe spawning powershell.exe
  • w3wp.exe launching reconnaissance commands
  • w3wp.exe executing credential tools
  • Use of nltest
  • Use of nslookup against internal servers
  • Use of csvde.exe
  • PowerView execution
  • Exchange PowerShell snap-in loading
  • Unusual Get-Mailbox enumeration
  • Mimikatz execution
  • Evil-CreateDump execution
  • Suspicious scheduled tasks
  • DLL sideloading from unusual paths
  • Legitimate signed executables renamed to blend in
  • ShadowPad loader activity
  • Registry keys storing encrypted payloads
  • IOX Proxy execution
  • GOST or Wstunnel usage
  • WMIC remote process execution
  • Unexpected SMB, RDP, WinRM, or database connection attempts from Exchange servers

Security teams should correlate:

  • IIS logs
  • Exchange logs
  • EDR telemetry
  • Windows event logs
  • Sysmon logs
  • Active Directory logs
  • Firewall logs
  • DNS logs
  • Proxy logs
  • SIEM alerts
  • Network detection and response data
  • File integrity monitoring alerts

The strongest detection approach is behavioral.

Do not only search for known file names.

Attackers can rename tools quickly.

Focus on abnormal behavior from servers that should not be performing workstation-style reconnaissance, credential dumping, or lateral movement.

The Role of Incident Response Planning

SHADOW-EARTH-053 reinforces that Exchange exploitation requires a mature incident response plan.

A patching ticket is not enough.

If attackers exploited Exchange before remediation, they may have installed web shells, stolen credentials, deployed ShadowPad, and moved deeper into the network.

A strong response plan should define:

  • How to isolate suspected Exchange servers
  • How to preserve IIS and Exchange logs
  • How to search for web shells
  • How to collect memory and disk evidence
  • How to review w3wp.exe process history
  • How to identify credential theft
  • How to rotate domain and service account credentials
  • How to review mailbox access
  • How to hunt for lateral movement
  • How to search for ShadowPad and proxy tools
  • How to rebuild affected servers
  • How to assess data exposure
  • How to brief executives
  • How to coordinate legal and regulatory decisions
  • How to validate that persistence is removed

Incident responders should ask:

  • Was the server exposed to the internet?
  • Was it vulnerable during the attack window?
  • Were suspicious web files created?
  • Did IIS worker processes run commands?
  • Were credentials dumped?
  • Were mailboxes accessed?
  • Were scheduled tasks created?
  • Was ShadowPad deployed?
  • Did the attacker move laterally?
  • Were other systems compromised?
  • Was sensitive data exfiltrated?

These answers determine whether the incident is contained to a server or represents a larger espionage intrusion.

The Role of Penetration Testing

Penetration testing is essential for understanding whether Exchange and IIS exposure could lead to real compromise.

A strong penetration test should not only confirm whether systems are patched.

It should evaluate whether exposed infrastructure could be abused in a realistic attack chain.

For SHADOW-EARTH-053-style risk, penetration testing can help identify:

  • Internet-facing Exchange exposure
  • Missing ProxyLogon-related patches
  • IIS misconfigurations
  • Weak segmentation around Exchange servers
  • Excessive service account privileges
  • Web directories lacking file integrity monitoring
  • Poor logging on Exchange and IIS servers
  • Lack of alerts for w3wp.exe spawning shells
  • Weak detection for web shells
  • Credential access paths from Exchange servers
  • Lateral movement opportunities
  • Weak Active Directory segmentation
  • Unrestricted outbound tunneling
  • Poor scheduled task monitoring
  • Inadequate incident response procedures

A red team exercise can simulate the full attack path safely:

  • Identify exposed Exchange or IIS services
  • Validate patch and configuration posture
  • Test web shell detection using safe methods
  • Simulate suspicious w3wp.exe process behavior
  • Test credential exposure controls
  • Attempt controlled lateral movement
  • Validate segmentation
  • Measure SOC detection and response
  • Review incident response escalation

This helps answer the real business question:

If an attacker compromised one Exchange server, how far could they go?

Penetration testing should also verify that patching has not become a false comfort.

A server can be fully patched today and still contain a web shell from yesterday.

Protection and Mitigation Measures

Organizations should apply layered protections across patching, monitoring, server hardening, identity, and incident response.

Patch Exchange and IIS Immediately

Apply all relevant Microsoft Exchange and IIS security updates.

Prioritize internet-facing systems and confirm patch status through authenticated checks.

Investigate Historical Exposure

Do not only check whether the server is patched now.

Review whether it was exposed and vulnerable in the past.

Search for Web Shells

Inspect Exchange and IIS web directories for suspicious files, especially .aspx, .ashx, and .jsp files.

Use File Integrity Monitoring

Enable monitoring on sensitive web directories.

Alert on new or modified web scripts.

Monitor IIS Worker Processes

Alert when w3wp.exe launches command shells, PowerShell, reconnaissance tools, or credential utilities.

Harden Exchange Servers

Limit internet exposure, restrict administrative access, remove unnecessary services, and isolate Exchange from sensitive internal systems.

Segment Critical Infrastructure

Exchange servers should not have unrestricted internal access.

Use network segmentation to reduce lateral movement risk.

Rotate Credentials After Compromise

If exploitation is suspected, rotate domain, service, administrative, and mailbox-related credentials.

Review Mailbox Access

Investigate suspicious mailbox enumeration, exports, forwarding rules, and access from unusual systems.

Block Covert Tunnels

Monitor and restrict outbound connections from Exchange servers.

Alert on tools such as IOX Proxy, GOST, Wstunnel, and unexpected SOCKS or HTTPS tunneling.

Detect DLL Sideloading

Monitor legitimate signed executables running from unusual paths or loading suspicious DLLs.

Prepare Rebuild Procedures

For confirmed compromise, rebuilding the server may be safer than trying to clean it manually.

Run Regular Security Testing

Include Exchange, IIS, web shell detection, lateral movement, and credential exposure in penetration testing and incident response exercises.

Key Takeaway

The SHADOW-EARTH-053 campaign shows that old Microsoft Exchange and IIS vulnerabilities remain valuable to China-aligned cyberespionage groups.

By exploiting the ProxyLogon chain and other known N-day vulnerabilities, attackers gain access to exposed servers, deploy GODZILLA web shells, stage ShadowPad through DLL sideloading, use credential theft tools, move laterally with WMIC, and maintain covert communication through proxy and tunneling utilities.

There is nothing theoretical about this risk.

The vulnerabilities are old.

The patches exist.

The exploitation continues.

Organizations must stop treating legacy Exchange exposure as a routine IT issue. It is a serious intrusion risk that can lead to mailbox compromise, credential theft, long-term espionage, intellectual property exposure, and broader network compromise.

Security teams should patch quickly, investigate historically exposed servers, hunt for web shells, monitor IIS process behavior, rotate exposed credentials, and validate defenses through penetration testing.

The message is clear:

If attackers still exploit old vulnerabilities, defenders must stop assuming old vulnerabilities are old news.

Contact Us Now to Prepare
for Digital Warfare


      • info@digitalwarfare.com

      • +1 757-900-9968

Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations