ShadowPad

Malware updated a month ago (2024-11-29T14:31:53.866Z)
Download STIX
Preview STIX
ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attack targeting the South Asian government, delivered through legitimate utilities like DLL sideloading by the Winnti group. The malware's functionality extends to loading DLLs from ShadowPad and PlugX, as well as establishing connections with other malicious components such as Listener.bat of Stately Taurus. This malware has been associated with various cybercriminal groups and their activities. For instance, traces were found linking it to the UNC2643 activity, which is connected to the HAFNIUM threat actor. Furthermore, the ShadowPad C&C server was identified within the lab.symantecsafe[.]org Tonto Team. A significant connection was also observed between the Stately Taurus activity cluster and another cluster that utilized the ShadowPad backdoor in the same environment. An infection of ShadowPad was detected in Cortex XDR, indicating its pervasive nature. Snappybee (Deed RAT), revealed by Postiv Technologies, is considered the successor to ShadowPad. Like its predecessor and Zingdoor, Snappybee primarily executes through DLL sideloading. The presence of Cobalt Strike beacons and the origin of two files from the same network session suggest a potential link between ShadowPad activity and the VSCode activity related to Stately Taurus. As ShadowPad continues to evolve and influence cyber threats, understanding its mechanisms and associations is crucial for effective cybersecurity.
Description last updated: 2024-11-28T11:43:39.509Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PlugX is a possible alias for ShadowPad. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s
9
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Espionage
Loader
Trojan
Rat
Payload
Linux
State Sponso...
Encryption
Exploit
Cobalt Strike
Symantec
Tool
Implant
Windows
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The malware Poisonplug is associated with ShadowPad. Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with ShadowPad. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
7
The APT41 Threat Actor is associated with ShadowPad. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
6
The Redfly Threat Actor is associated with ShadowPad. RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significanUnspecified
5
The Winnti Group Threat Actor is associated with ShadowPad. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers aUnspecified
2
The Bronze University Threat Actor is associated with ShadowPad. Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizatUnspecified
2
The Lancefly Threat Actor is associated with ShadowPad. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
2
The Earth Lusca Threat Actor is associated with ShadowPad. Earth Lusca, a threat actor believed to be part of the China-backed Winnti collective, has been active since at least 2019 and is known for its cyber-espionage activities. The group primarily targets government organizations in Asia, Latin America, and other regions. Recently, it has expanded its arUnspecified
2
The I-Soon Threat Actor is associated with ShadowPad. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
2
The Redhotel Threat Actor is associated with ShadowPad. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Source Document References
Information about the ShadowPad Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
a month ago
Trend Micro
2 months ago
DARKReading
4 months ago
Unit42
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Checkpoint
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
BankInfoSecurity
6 months ago
BankInfoSecurity
9 months ago
DARKReading
9 months ago
Trend Micro
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
Trend Micro
10 months ago
CERT-EU
10 months ago
Unit42
10 months ago
CERT-EU
10 months ago
Securelist
a year ago