Cyber Threat Brief — May 3 2026
⚠️ This report is AI-generated. Always validate findings.
1. SHADOW-EARTH-053 Espionage Campaign — ShadowPad + Godzilla Webshells
TL;DR: China-aligned group SHADOW-EARTH-053 exploits unpatched Exchange/IIS servers to drop Godzilla webshells and ShadowPad implants via DLL sideloading, targeting government and defense sectors across 8 countries including NATO member Poland. Active since December 2024; Trend Micro disclosed late April 2026.
What’s New:
- Trend Micro published full campaign analysis attributing SHADOW-EARTH-053 across Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland
- Initial access via ProxyLogon chain (CVE-2021-26855/26857/26858/27065) and IIS N-days against unpatched servers
- Godzilla ASP.NET webshells deployed as
error.aspx,warn.aspx,TimeinLogout.aspx,tunnel.ashxunder standard Exchange/IIS paths - ShadowPad loaded via DLL sideloading of signed Microsoft/Samsung binaries; encrypted payload stored in registry (
HKCU\Software) and deleted after first use - Persistence via scheduled task named
M1onltorrunning sideloaded binary every 5 minutes at highest privileges
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
error.aspx, warn.aspx, TimeinLogout.aspx, tunnel.ashx in Exchange/IIS paths | Webshell filename | T1505.003 | FIM / IIS logs / Sysmon EID 11 | Hunt for these filenames under \inetpub\, \FrontEnd\, \ClientAccess\ |
w3wp.exe spawning cmd.exe, powershell.exe, or certutil.exe | Post-exploitation | T1059.001 | Sysmon EID 1 / EDR | Alert on w3wp.exe child process anomalies |
Scheduled task named M1onltor | Persistence | T1053.005 | Windows Security EID 4698 / Sysmon EID 1 | Hunt for this exact task name across fleet |
HKCU\Software keys with encrypted blobs (deleted post-load) | Registry payload staging | T1112 | Sysmon EID 12/13 / EDR | Monitor for registry write+delete patterns in HKCU\Software by sideloaded binaries |
| DLL sideloading via signed Microsoft/Samsung executables | Execution | T1574.002 | Sysmon EID 7 / EDR | Alert on unsigned DLL loads by known-signed vendor binaries |
IOX proxy tool deployment + LocalAccountTokenFilterPolicy set to 1 | Lateral movement | T1090 / T1550.002 | Registry / Sysmon EID 13 | Alert on LocalAccountTokenFilterPolicy modification |
| WMIC-based lateral commands | Lateral movement | T1047 | Sysmon EID 1 / Windows Security 4688 | Monitor wmic.exe process creation with /node: arguments |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web or Application Server Spawning a Shell (generic w3wp child) | No SHADOW-EARTH-053–specific rule; no Godzilla webshell filename detection |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | No M1onltor scheduled task rule; no IOX proxy detection |
| Sigma | Webshell Detection With Command Line Keywords; Suspicious Scheduled Task Creation | No DLL sideloading rule specific to ShadowPad loader pattern; no registry staging detection |
Sources: Trend Micro Research · The Hacker News · GBHackers
Status Updates
- CVE-2026-31431 (Linux Kernel — Copy Fail): Ubuntu and AlmaLinux patches released May 1; CISA KEV added May 1 with May 15 federal deadline; community Sigma/Falco/Sysdig detection rules stable. Original brief.
- CVE-2026-32202 (Windows Shell): Federal deadline May 12 approaching; no new artifacts or exploitation data since April 29 CISA KEV addition. Original brief.
- CVE-2024-1708/1709 (ScreenConnect): Federal deadline May 12; Storm-1175 Medusa ransomware campaigns ongoing via chained path traversal + auth bypass. Original brief.
- PyTorch Lightning Supply Chain (Shai-Hulud): Malicious versions 2.6.2/2.6.3 removed from PyPI; developers should verify pinned version is 2.6.1 or lower and audit for
router_runtime.jsartifacts. Original brief.