Skip to main content
  1. Tags/

Linux

SHADOW-EARTH-053 — Threat Brief, Kill Chain, and Validated Fleet Queries

Trend Micro disclosed SHADOW-EARTH-053 on 30 April 2026 — a China-aligned cyberespionage campaign exploiting ProxyLogon against unpatched Microsoft Exchange and IIS to deploy GODZILLA web shells and ShadowPad across South, East, and Southeast Asia plus one NATO target. This brief documents the campaign through Lockheed’s seven kill-chain stages with a Diamond Model rendered for each stage, consolidates the atomic indicators, and ships a vetted Fleet/osquery detection pack. Every query in the pack has been audited against fleetdm.com/tables before publication — schema bugs in the publicly circulating versions are called out and corrected inline.

Pre-CVE Threat Response: A Dirty Frag Walkthrough with Fleet

Vulnerability management isn’t CVE management. When a public exploit lands before NVD has caught up, traditional vuln scanners return empty and incident response stalls waiting for a row in a database. This is a worked example of using Fleet’s primitives — live osquery, run-script, policies — to investigate, scope, mitigate, and verify based on the artifacts of the threat instead of its catalog representation.