China-aligned group exploits Exchange, IIS flaws across Asian governments
Trend Micro tracks Shadow-Earth-053 campaign targeting defense and critical infrastructure sectors with known Microsoft vulnerabilities in ongoing espionage operation.
A China-aligned threat actor is conducting a sustained cyberespionage campaign against government, defense, and critical infrastructure targets across Asia, exploiting known vulnerabilities in Microsoft Exchange and Internet Information Services (IIS) platforms. Trend Micro researchers have designated the operation Shadow-Earth-053.
The campaign leverages publicly disclosed flaws in widely deployed enterprise systems to gain initial access. Exchange servers, which handle email and collaboration for many government and corporate networks, remain a persistent attack surface when patch cycles lag. IIS, Microsoft's web server platform, is similarly ubiquitous in enterprise environments. The targeting pattern—government ministries, defense contractors, and operators of essential services—indicates intelligence collection rather than financial motive.
The operation reflects a familiar pattern: state-aligned actors exploiting the gap between vulnerability disclosure and organizational remediation. Trend Micro's attribution to a China-aligned cluster is based on tactics, infrastructure, and targeting priorities consistent with previous campaigns linked to Beijing's strategic intelligence requirements. The focus on Asian nations aligns with regional geopolitical competition and China's long-documented interest in defense technology and critical infrastructure mapping.
- 01Asian government and defense entities face elevated risk of data exfiltration and persistent network access.
- 02Critical infrastructure operators must audit Exchange and IIS patch status immediately.
- 03Intelligence services should review Shadow-Earth-053 indicators for retrospective compromise detection.
- 04Vendors supporting targeted sectors should expect increased scrutiny of supply chain security.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.