ShadowPad

Malware updated a month ago (2024-09-07T01:17:45.753Z)
Download STIX
Preview STIX
ShadowPad is a modular malware that has been utilized by various Chinese threat actors since at least 2017. It's a malicious software designed to infiltrate computer systems, often without the user's knowledge, and can cause significant damage by stealing personal information, disrupting operations, or holding data for ransom. ShadowPad is typically delivered through suspicious downloads, emails, or websites, and once inside a system, it can deploy other harmful activities. This malware was notably used as the payload in a supply chain attack targeting South Asian governments, according to a VB2023 paper. The ShadowPad malware has been observed to have connections with other cyber threats. For instance, it was found that Winnti uses legitimate utilities to load DLLs from ShadowPad and PlugX. Furthermore, an examination of the Stately Taurus activity cluster revealed a connection with another cluster that used the ShadowPad backdoor in the same environment. The origins of Listeners.bat, a tool used in the Stately Taurus cluster, were traced back to the same network session that wrote additional files and malware, including the ShadowPad backdoor, indicating a potential link between the ShadowPad activity and the VSCode activity associated with Stately Taurus. ShadowPad's command-and-control (C2) servers have been identified, such as the one operated by the Tonto Team at lab.symantecsafe[.]org and another one with the IP address 216.83.40[.]84. These servers are crucial for the operation of the malware, allowing remote control over infected systems. In addition, ShadowPad infections have been detected in Cortex XDR, highlighting the broad reach of this malware. As one of the main tools used in these activity clusters, ShadowPad represents a significant threat to cybersecurity worldwide.
Description last updated: 2024-09-07T00:22:53.362Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PlugX is a possible alias for ShadowPad. PlugX is a malicious software (malware) known for its stealthy operations. It has been linked to several cyberattacks, and its use has been attributed to various threat groups, including Winnti and MustangPanda. The malware leverages DLL side-loading to remain undetected, making it a potent tool in
9
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Espionage
Loader
Trojan
Rat
Payload
Linux
State Sponso...
Encryption
Exploit
Cobalt Strike
Symantec
Tool
Implant
Windows
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The malware Poisonplug is associated with ShadowPad. Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with ShadowPad. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the AUnspecified
7
The APT41 Threat Actor is associated with ShadowPad. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a significant threat actor attributed to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. It uses a wide range of malware, with at least 46 different code families and tools obsUnspecified
6
The Redfly Threat Actor is associated with ShadowPad. RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significanUnspecified
5
The Winnti Group Threat Actor is associated with ShadowPad. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers aUnspecified
2
The Bronze University Threat Actor is associated with ShadowPad. Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizatUnspecified
2
The Lancefly Threat Actor is associated with ShadowPad. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
2
The Earth Lusca Threat Actor is associated with ShadowPad. Earth Lusca, a threat actor identified as being Chinese-speaking, has been active since at least the first half of 2023. The group primarily targets organizations in Southeast Asia, Central Asia, and the Balkans. Recently, it has expanded its arsenal with SprySOCKS Linux malware, a new addition thatUnspecified
2
The I-Soon Threat Actor is associated with ShadowPad. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
2
The Redhotel Threat Actor is associated with ShadowPad. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Source Document References
Information about the ShadowPad Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
Unit42
a month ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Checkpoint
2 months ago
Securityaffairs
2 months ago
DARKReading
2 months ago
BankInfoSecurity
4 months ago
BankInfoSecurity
6 months ago
DARKReading
7 months ago
Trend Micro
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
Trend Micro
7 months ago
CERT-EU
8 months ago
Unit42
8 months ago
CERT-EU
8 months ago
Securelist
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago