What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia
A newly identified China-linked cyber espionage group, tracked as Shadow-Earth-053, has infiltrated critical networks in Poland, several Asian countries, and potentially other regions since December 2024. The group, which targets government agencies, defense contractors, and technology firms, often gains access through vulnerable Microsoft Exchange Servers and uses the ShadowPad backdoor after prolonged reconnaissance. It shares tactics and infrastructure with a related group, Shadow-Earth-054, raising concerns about dormant command-and-control mechanisms and potential prepositioning for future disruptive attacks.
- ▪Shadow-Earth-053 has targeted government, defense, technology, and transportation sectors in Poland and Asian countries since December 2024.
- ▪The group typically exploits vulnerable Microsoft Exchange Servers to gain initial access and deploys the ShadowPad backdoor after up to eight months of reconnaissance.
- ▪Shadow-Earth-053 shares tools, techniques, and network infrastructure with Shadow-Earth-054, a group linked to known Chinese cyber operations.
- ▪TrendAI researchers compare the groups' behavior to prior Chinese campaigns like Salt Typhoon and Volt Typhoon, known for long-term stealth and prepositioning in critical networks.
- ▪Experts express concern that the intrusions may have left behind dormant C2 infrastructure or destructive capabilities in compromised environments.
Opening excerpt (first ~120 words) tap to expand
Cyber-crime What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Just in time for the Trump-Xi summit Jessica Lyons Thu 30 Apr 2026 // 11:00 UTC Exclusive A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month. I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments? In a report shared exclusively with The Register, TrendAI researchers say the new group, which they track as Shadow-Earth-053, targeted government agencies, defense contractors, technology firms, and the transportation industry.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
