Novel China-Linked Group Shadow-Earth-053 Found Lurking in Critical Networks Across Poland and Asia

A novel China-linked group tracked as Shadow-Earth-053 has quietly infiltrated 12+ critical networks across Poland and Asia since December 2024 — deploying ShadowPad with up to eight months of dormancy before activation.

WARSAW / SINGAPORE — Shadow-Earth-053 has targeted government agencies, defense contractors, technology firms, and the transportation sector across at least a dozen victim organizations since its earliest confirmed activity in December 2024. The group typically gains initial access via vulnerable Microsoft Exchange servers and in multiple intrusions compromised victim organizations up to eight months before deploying ShadowPad, the custom backdoor shared among China-aligned groups since 2019.

Incident profile

Tactics and tooling

Shadow-Earth-053 demonstrates a pattern of long-dwell-time intrusions — in multiple cases compromising victim environments eight months before deploying ShadowPad. TrendAI's Tom Kellermann described the group as "the younger brother and sister of the Typhoon campaigns" — targeting defense industries and defense ministries of nations aligned with the US and supportive of Taiwan's independence. For evasion, the group deploys RingQ — an open-source tool developed in China that packs malicious binaries to avoid antivirus detection — and uses domain names that impersonate legitimate security products and DNS protocol components. This operational pattern is consistent with what we document across all nation-state cyber threats tracked by The CyberSignal.

The Poland connection

Poland's appearance as a confirmed victim is strategically significant. As a NATO frontline state, a major logistics hub for Western military aid to Ukraine, and a host to significant US military assets, Poland represents high-value intelligence real estate for Chinese state actors. China's broader approach to long-term network infiltration is detailed in our coverage of the Silk Typhoon operative extradited from Italy for state-directed espionage campaigns.

What to do now

Treat any unpatched Microsoft Exchange exposure as a critical priority. Hunt for ShadowPad indicators and NoodleRat signatures in Linux environments. Review DNS logs for domains mimicking security product names. Assume any long-undetected intrusion may have involved ShadowPad pre-positioning — check for dormant C2 channels on sleep cycles before concluding environments are clean. Understanding how advanced persistent threats operate is essential context for defenders mapping dwell-time risks.

The CyberSignal Analysis

Signal 01 — Another Typhoon-class campaign hiding in plain sight

Shadow-Earth-053's eight-month average dwell time before ShadowPad deployment mirrors Volt Typhoon and Salt Typhoon — neither discovered until years after initial access. The discovery of this group in 2026 does not mean it began in 2024. Earlier activity may simply remain undetected.

Signal 02 — Defense supply chains are the new primary target

The targeting of defense contractors and transportation firms alongside government agencies reflects a shift in Chinese APT strategy: moving up the supply chain to the firms that build, supply, and logistics-support defense capabilities. A defense contractor's network contains architecture diagrams, procurement data, and vulnerability research that is arguably more valuable than the defense ministry network itself.

Signal 03 — Poland's exposure signals NATO-wide intelligence priority

Poland's role as a NATO eastern flank anchor and Ukraine aid corridor makes it a permanent high-priority target for Chinese intelligence collection. The deliberate targeting of Polish networks places Shadow-Earth-053 in the same category as groups targeting German Bundestag systems and French defense ministry infrastructure.