Shadow-Earth-053, a recently identified set of China-aligned campaigns, targeted government entities and critical infrastructure across South, East, and Southeast Asia and a NATO member state.

The group behind the attack exploited N-day vulnerabilities in Internet-facing Microsoft Exchange and IIS servers then deployed GODZILLA to maintain persistent access and stage ShadowPad implants via DLL sideloading of legitimate signed executables.

Trend Micro’s in-depth analysis of the threat identified 26 network IoCs comprising subdomains, domains, and IP addresses.

We extracted domains from the subdomain IoCs, which left us with 10 domain IoCs for our own investigation. According to the WhoisXML API MCP Server, none of the domains were legitimate and all were currently active. We thus ended up with 31 IoCs for further study comprising 16 subdomains, 10 domains, and five IP addresses.

Our DNS deep dive into Shadow-Earth-053 led to these discoveries:

• 865 unique client IP addresses that communicated with three of the domain IoCs
• Two domain IoCs that were likely registered with malicious intent
• 10 distinct IP addresses potentially owned by victims that communicated with three of the IP IoCs
• 835 email-connected domains
• Nine additional IP addresses, seven of which were confirmed malicious
• Nine IP-connected domains, one of which was confirmed malicious
• 749 string-connected domains, six of which were confirmed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Shadow-Earth-053 Subdomain IoCs in the Spotlight

We began our investigation by taking a closer look at the 16 subdomain IoCs.

The WhoisXML API MCP Server revealed that they were part of a cohesive, purpose-built threat actor infrastructure and not a random collection of suspicious domains. They, in fact, shared overlapping tradecraft and together described a complete kill chain—a rogue DNS resolution led to router compromise to traffic interception to credential harvesting to persistence. Take a look at more details for five examples below.

Shadow-Earth-053 Domains IoCs Dissected

Next, we dug deeper into the 10 domain IoCs.

Sample network traffic data from the IASC revealed that 865 unique client IP addresses under three distinct ASNs communicated with three of the domain IoCs via 3,476 DNS queries made between 6 March and 4 May 2026.

In addition, we discovered that two domain IoCs—zimbra-beta[.]info and office365-update[.]com—were recorded on the First Watch Malicious Domains Data Feed. They were likely registered with malicious intent 727 and 161 days, respectively, before they were tagged as IoCs on 30 April 2026.

Next, we queried the domain IoCs on WHOIS API and found out that:

• They were created between 12 March 2020 and 9 April 2026, hinting that the attackers did not have a preference with regard to domain age.

  

• They were administered by four different registrars.

  

• They were registered in four different countries.

  

We then queried the domain IoCs on DNS Chronicle API and discovered that nine recorded 1,297 historical domain-to-IP resolutions over time. Here are more details for five examples.

To date, seven domain IoCs continued to resolve to IP addresses this year. These were dnsmaps[.]com, group-ib[.]icu, microsi0ft[.]com, microsofttrends[.]com, office365-update[.]com, zimbra-beta[.]info, and zimbra[.]life.

Shadow-Earth-053 IP IoCs Investigated

Here, we further investigated the five IP IoCs.

First, sample network traffic data from the IASC showed that 10 unique IP addresses potentially owned by victims under six distinct ASNs communicated with three of the IP IoCs between 30 November 2025 and 3 May 2026.

We then queried the IP IoCs on Bulk IP Geolocation Lookup and discovered that:

• They were geolocated in four different countries, only one of which—the U.S.—was also on the registrant country list.

  

• While two of them did not have ISPs on record, the remaining three were administered by a different ISP each.

  

Next, we queried the IP IoCs on DNS Chronicle API and found out that four posted 839 historical IP-to-domain resolutions over time. The IP address 194[.]38[.]11[.]3, for instance, recorded 757 resolutions between 6 February 2021 and 4 May 2026.

To date, three of the IP IoCs continued to resolve to domains this year.

New Shadow-Earth-053 Artifacts Exposed

In this section, we hunted down new artifacts that could be connected to Shadow-Earth-053.

We began by querying the 10 domain IoCs on WHOIS History API and discovered that eight had 32 email addresses in their historical WHOIS records. Closer scrutiny revealed that five were public email addresses.

We then queried the public email addresses on Reverse WHOIS API and found out that they were used to register 835 unique email-connected domains after the domain IoCs were filtered out.

Next, we queried the domain IoCs on DNS Lookup API, which led to the discovery of nine unique additional IP addresses.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.