https://karmine05.github.io/dirtyfrag-blog/tags/shadowpad/ Recent content in Shadowpad on karmine's notes Hugo -- gohugo.io en dhruv@fleetdm.com (Dhruv Majumdar) dhruv@fleetdm.com (Dhruv Majumdar) © 2026 karmine's notes Tue, 26 May 2026 11:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/shadow-earth-053-fleet-detections/ Tue, 26 May 2026 11:00:00 -0400 dhruv@fleetdm.com (Dhruv Majumdar) https://karmine05.github.io/dirtyfrag-blog/posts/shadow-earth-053-fleet-detections/ Trend Micro disclosed SHADOW-EARTH-053 on 30 April 2026 — a China-aligned cyberespionage campaign exploiting ProxyLogon against unpatched Microsoft Exchange and IIS to deploy GODZILLA web shells and ShadowPad across South, East, and Southeast Asia plus one NATO target. This brief documents the campaign through Lockheed’s seven kill-chain stages with a Diamond Model rendered for each stage, consolidates the atomic indicators, and ships a vetted Fleet/osquery detection pack. Every query in the pack has been audited against fleetdm.com/tables before publication — schema bugs in the publicly circulating versions are called out and corrected inline.