ShadowPad

Malware updated 16 days ago (2024-11-08T16:01:04.931Z)
Download STIX
Preview STIX
ShadowPad is a sophisticated malware, known for its modular backdoor capabilities, that has been popular among Chinese threat actors for over seven years. It is designed to infiltrate systems often through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. ShadowPad was notably used as the payload in a supply chain attack targeting the South Asian government, as revealed in a VB2023 paper. The malware leverages legitimate utilities to load DLLs from itself and PlugX, another notorious malware. Furthermore, it has evolved over time with Snappybee (Deed RAT), considered its successor, employing DLL sideloading as its primary execution method. A connection was observed between ShadowPad and the Stately Taurus activity cluster, particularly through the use of Listener.bat. This file, along with other malware including ShadowPad, originated from the same network session, indicating a potential link between the two. In addition, ShadowPad infection was detected in Cortex XDR, further demonstrating its pervasive nature. The malware's command and control (C&C) server was identified as being part of the Tonto Team at lab.symantecsafe[.]org, illustrating the organized nature of these cyber threats. The continued use and evolution of ShadowPad highlight the persistent threat landscape organizations face today. Cybersecurity measures need to be continuously updated and fortified to counter such threats. The discovery of ShadowPad Service Names on 216.83.40[.]84 and the identification of the ShadowPad Cluster Attacker C2 indicate ongoing efforts to understand and neutralize this threat. As the connections between different threat clusters like ShadowPad and Stately Taurus become clearer, this knowledge will be instrumental in developing more robust defenses against these evolving cyber threats.
Description last updated: 2024-11-08T15:16:51.280Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PlugX is a possible alias for ShadowPad. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s
9
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Espionage
Loader
Trojan
Rat
Payload
Linux
State Sponso...
Encryption
Exploit
Cobalt Strike
Symantec
Tool
Implant
Windows
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The malware Poisonplug is associated with ShadowPad. Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with ShadowPad. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
7
The APT41 Threat Actor is associated with ShadowPad. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
6
The Redfly Threat Actor is associated with ShadowPad. RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significanUnspecified
5
The Winnti Group Threat Actor is associated with ShadowPad. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers aUnspecified
2
The Bronze University Threat Actor is associated with ShadowPad. Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizatUnspecified
2
The Lancefly Threat Actor is associated with ShadowPad. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
2
The Earth Lusca Threat Actor is associated with ShadowPad. Earth Lusca, a threat actor believed to be part of the China-backed Winnti collective, has been active since at least 2019 and is known for its cyber-espionage activities. The group primarily targets government organizations in Asia, Latin America, and other regions. Recently, it has expanded its arUnspecified
2
The I-Soon Threat Actor is associated with ShadowPad. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
2
The Redhotel Threat Actor is associated with ShadowPad. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Source Document References
Information about the ShadowPad Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Trend Micro
16 days ago
DARKReading
2 months ago
Unit42
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Checkpoint
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
BankInfoSecurity
5 months ago
BankInfoSecurity
8 months ago
DARKReading
8 months ago
Trend Micro
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Trend Micro
9 months ago
CERT-EU
9 months ago
Unit42
9 months ago
CERT-EU
9 months ago
Securelist
a year ago
CERT-EU
a year ago