Today's picture
Trend Micro disclosed a China-aligned espionage campaign this week targeting government and defense sectors across South, East, and Southeast Asia plus a European NATO member. The group, tracked as SHADOW-EARTH-053, exploits N-day vulnerabilities in internet-facing Exchange and IIS servers and deploys ShadowPad through DLL sideloading on legitimate signed executables. Separately, the SharePoint zero-day from April Patch Tuesday has now been confirmed as actively exploited for remote code execution, and Itron, a major industrial metering and infrastructure company, confirmed a breach affecting corporate IT systems in the same week Medtronic disclosed theirs.
Threat snapshot
3 new · 2 monitoring
New
APT · China-Nexus
🕵 SHADOW-EARTH-053 targeting NATO and Asian defense sectors. Exchange and IIS servers as entry points.
Active since December 2024. Exploits ProxyLogon chain, deploys Godzilla web shells, stages ShadowPad via DLL sideloading. Targets government ministries, defense contractors, and one European NATO nation.
New
RCE · Actively Exploited
📋 SharePoint CVE-2026-32201 confirmed exploited for RCE. Restrict internet exposure immediately.
Zero-day allows remote code execution. Patched in April Patch Tuesday but exploitation confirmed active this week. Organizations should patch and restrict SharePoint internet exposure now.
New
Breach
OT / Industrial
⚡ Itron confirms breach of corporate IT systems. Second industrial firm hit this week after Medtronic.
Itron provides metering and grid management infrastructure to utilities and energy companies globally. Corporate IT systems affected. Investigation ongoing. No operational technology impact confirmed yet.
Detailed intelligence
Full analysis
01 New APT · China-Nexus
SHADOW-EARTH-053 targeting NATO and Asian defense sectors. Exchange and IIS servers are the door in.
SHADOW-EARTH-053
What happened
Trend Micro researchers Daniel Lunghi and Lucas Silva published analysis this week on a previously undocumented China-aligned threat cluster they track as SHADOW-EARTH-053. The group has been active since at least December 2024 and has been conducting targeted espionage operations against government agencies and defense sector organizations across South Asia, East Asia, and Southeast Asia, as well as one European government that is a member of NATO.
The initial access method is straightforward and consistent. SHADOW-EARTH-053 exploits known N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services servers, specifically the ProxyLogon chain, which has been public since 2021 but continues to work against unpatched deployments. Once inside, the group deploys Godzilla, a server-side web shell with extensive functionality for command execution, file management, and lateral movement, as a persistence mechanism.
The distinguishing feature of the campaign is the staging of ShadowPad, a sophisticated modular backdoor with extensive intelligence-collection capabilities, through DLL sideloading of legitimate signed executables. By loading the malicious DLL through a trusted, signed application, the group ensures that their persistence mechanism appears as a legitimate process to endpoint detection tools that rely on process and signature validation. Trend Micro assessed SHADOW-EARTH-053 as sharing some infrastructure and tooling overlap with CL-STA-0049, Earth Alux, and REF7707, suggesting a broader China-nexus operational cluster rather than a fully independent group.
EXECUTIVE IMPACT · This campaign targets defense contractors and government ministries specifically to collect intelligence over extended periods without detection. A ShadowPad deployment through DLL sideloading will not trigger most EDR signature alerts because the host process is legitimate and signed. Dwell time in confirmed campaigns has been measured in months.
DON'T MISS · The ProxyLogon chain has been public since March 2021. This campaign is still using it in 2026 because unpatched Exchange servers continue to exist in government and defense environments where update cycles are constrained by operational requirements. The attacker does not need a new exploit when an old one still works. Any organization in the targeted sectors with internet-facing Exchange or IIS servers should verify ProxyLogon patches as an immediate first step regardless of when they believe they last updated.
CyberSip Take
SHADOW-EARTH-053 illustrates a pattern that runs through every nation-state campaign covered in this brief: the most effective persistent access does not require sophisticated zero-days. It requires finding the gap between when a patch was released and when the target organization applied it. The ProxyLogon chain is three years old. ShadowPad through DLL sideloading is a technique documented in multiple prior campaigns. The sophistication is in the selection of targets and the patience of the operation, not the novelty of the tools.
The NATO targeting dimension is worth watching. Earlier this month we covered the China-nexus covert device network advisory signed by ten allied nations. SHADOW-EARTH-053 represents the targeted intrusion layer that sits above the opportunistic infrastructure layer those nations were warning about. The advisory described mass compromise of SOHO devices for traffic obfuscation. This campaign describes deliberate, targeted entry into specific government and defense networks. The two are complementary TTPs, not separate threat actors.
Recommended actions
- Verify ProxyLogon patches are applied on all internet-facing Exchange and IIS servers. CVE-2021-26855 and related CVEs should have been patched in 2021 but unpatched instances continue to appear in confirmed intrusions.
- Audit IIS and Exchange server logs for Godzilla web shell indicators including unusual POST requests to aspx files and base64-encoded command patterns in web logs.
- Review running processes on Exchange and IIS servers for legitimate signed executables loading unexpected DLLs from non-standard paths. This is the ShadowPad sideloading detection signal.
- Organizations in government, defense contracting, or critical national infrastructure sectors in the targeted geographies should treat this disclosure as a direct operational prompt to review their external attack surface.
Derived from Trend Micro threat research by Daniel Lunghi and Lucas Silva, published May 2026
02 New RCE · Actively Exploited
SharePoint CVE-2026-32201 confirmed actively exploited for remote code execution. Patch and restrict exposure now.
CVE-2026-32201
What happened
Microsoft SharePoint Server CVE-2026-32201, patched in April Patch Tuesday, has been confirmed as actively exploited for remote code execution this week. The vulnerability allows an attacker with network access to execute arbitrary code on the SharePoint server. Microsoft's original advisory did not flag the vulnerability as exploited at time of patch release, but updated the advisory this week to confirm active exploitation. SharePoint Server is widely deployed in enterprise environments for document management, intranet portals, and collaboration, and frequently has sensitive internal documents and data accessible to authenticated users. Unpatched instances with internet exposure represent a direct entry point into internal networks.
EXECUTIVE IMPACT · SharePoint hosts internal documents, project files, HR records, and sensitive business data in most enterprise deployments. Remote code execution on the SharePoint server gives an attacker both that data and a trusted internal network foothold. Confirm the April cumulative update is applied across all SharePoint Server instances today.
DON'T MISS · This vulnerability stems from an incomplete patch for a prior SharePoint flaw, CVE-2026-21510. When a patch is incomplete, security researchers and threat actors both find the bypass. The window between the April patch and confirmed active exploitation in early May is approximately two to three weeks. Organizations that stage SharePoint patches on a longer cycle than their internet-facing systems are carrying a gap that attackers are actively filling right now.
CyberSip Take
SharePoint is one of those applications that organizations tend to treat as internal infrastructure rather than an internet-facing attack surface. In many deployments it is both. Even SharePoint instances that are not directly internet-facing are often reachable from partner networks, VPN-connected home devices, or through lateral movement from a compromised endpoint. The confirmed RCE status means this is no longer a theoretical risk for unpatched organizations. Verify the April update is applied and restrict internet exposure where it is not required. Those are the two actions that close the immediate window.
Recommended actions
- Confirm the April 2026 cumulative update has been applied to all SharePoint Server instances. CVE-2026-32201 is addressed in that update.
- Restrict internet exposure of SharePoint servers where direct external access is not a business requirement. A reverse proxy or application delivery controller can provide authentication enforcement in front of the SharePoint interface.
- Review SharePoint access logs for unusual authentication patterns, large file access events, or requests from unexpected source IP ranges that may indicate pre-patch exploitation.
Derived from Microsoft Security Response Center advisory and eSecurity Planet threat research
03 New Breach OT / Industrial
Itron confirms breach of corporate IT systems. Second major industrial firm hit this week after Medtronic.
Itron Breach · May 2026
What happened
Itron, a global provider of smart metering systems and grid management technology serving electric, gas, and water utilities worldwide, confirmed a cybersecurity incident affecting its corporate IT systems this week. Itron serves over 8,000 utilities and cities across more than 100 countries and provides the metering infrastructure and grid edge intelligence that underpins utility billing, demand response, and grid operations for a significant share of Western energy infrastructure. The company confirmed the breach was contained to corporate IT systems and stated that operational technology and customer-facing metering networks were not impacted at this time. The investigation is ongoing. No threat actor has publicly claimed responsibility and no data has appeared on known leak sites as of today.
EXECUTIVE IMPACT · Itron's corporate IT environment holds utility customer data, grid configuration information, and operational contracts for critical energy infrastructure across over 100 countries. Even a corporate IT breach without OT impact exposes significant sensitive data. Utilities using Itron systems should monitor for any unusual activity or communications from Itron-managed endpoints.
DON'T MISS · Two major industrial and infrastructure companies confirmed breaches in the same week. Medtronic from Issue 16 and now Itron. Both serve critical sectors. Both were contained to corporate IT at time of disclosure. The consistent framing of "corporate IT only, no OT impact" is the standard initial disclosure language, and it does not mean OT was never in scope. It means OT impact has not been confirmed yet. Utilities using Itron systems should not wait for an updated disclosure before reviewing their Itron-connected network segments for unusual activity.
CyberSip Take
The Lotus Wiper attack from Issue 11 targeted Venezuela's energy sector with a destructive payload. The BRIDGE:BREAK serial converter research from Issue 10 documented 20,000 exposed industrial devices. The China-nexus covert device network advisory from Issue 12 named critical infrastructure as a primary target. SHADOW-EARTH-053 from today's lead story is specifically targeting government and defense sectors in regions with active geopolitical tension. And now Itron, which sits at the center of utility metering infrastructure across over 100 countries, confirms a breach in the same week as a major medical device manufacturer.
The pattern across April and into May is not subtle. The critical infrastructure sectors, energy, utilities, healthcare, and defense, are under coordinated, sustained pressure from multiple threat vectors simultaneously. Whether those vectors are connected or coincidental is less important than the operational posture question they raise: does your organization treat a corporate IT breach at a major infrastructure vendor as an internal matter for that vendor, or as a trigger to review your own connected exposure?
Recommended actions
- Utilities and energy organizations using Itron metering or grid management systems should review network segmentation between Itron-managed endpoints and operational technology networks.
- Monitor for any unusual authentication or connection attempts from Itron-associated IP ranges or service accounts in your environment.
- Review your vendor breach notification procedures. A corporate IT breach at a critical infrastructure vendor warrants proactive review even before a formal notification arrives.
- Watch Itron's security bulletin page for updates on the scope of data exposure as the investigation progresses.
Derived from Itron breach disclosure and eSecurity Planet threat research
Still watching
Aging items · days 2–6
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
cPanel CVE-2026-41940 (Issue 19). Federal deadline was May 3, yesterday. If you have not applied the April 28 patch, do it today. If you are on managed hosting, confirm with your provider that the patch is applied.
Day 2
PyTorch Lightning Mini Shai-Hulud (Issue 19). Versions 2.6.2 and 2.6.3 compromised. Rotate credentials if installed April 30. Pin pip dependencies to specific verified versions.
Day 2
Copy Fail CVE-2026-31431 (Issue 19). Linux kernel privilege escalation, any local user to root. Patches available from all major distributions. Priority for Kubernetes node kernels.
Day 2
Cross-source standouts
What connects this week
01
Old vulnerabilities keep working because organizations keep not patching them
SHADOW-EARTH-053 is using the ProxyLogon chain from 2021. ConnectWise ScreenConnect CVE-2024-1709 from Issue 17 was patched in February 2024 and appeared in KEV in April 2026 because unpatched instances still exist. PaperCut from Issue 15 was first exploited in 2023 and returned to active exploitation status this month. The pattern is consistent across every week of coverage: the oldest vulnerabilities stop producing incidents only when they stop finding unpatched targets. The adversary does not need new tools when existing ones keep working.
02
Two major industrial breaches in one week is a data point worth filing
Medtronic and Itron both confirmed breaches within days of each other. Both are in sectors that nation-state actors specifically target for intelligence collection and pre-positioning. Both initially disclosed as corporate IT only with no confirmed OT impact. That framing may be accurate or it may be where the investigation currently stands. The practical response for organizations connected to either company's systems is the same regardless: review your segmentation, monitor your logs, and do not wait for an updated disclosure before asking whether your connected exposure has changed.
Get CyberSip in your inbox
Signal without the noise. Delivered before your first coffee.
You are on the list.
Past issues · 7-day archive