ShadowPad

Malware Profile Updated a month ago
Download STIX
Preview STIX
ShadowPad is a modular backdoor malware that has been utilized by multiple Chinese threat groups since 2017. It was used as the payload in a supply chain attack targeting South Asian governments, as detailed in a VB2023 paper. The malware's operations are often facilitated through legitimate utilities such as Winnti, which load DLLs from ShadowPad and PlugX. Notably, two command-and-control (C2) servers were identified, lab.symantecsafe[.]org associated with Tonto Team and ns.rtechs[.]org of unclassified status. Threat actors Earth Krahang and Earth Lusca have also employed ShadowPad, often coupled with other threats like PlugX and tools such as Cobalt Strike and RedGuard. The cybersecurity firm Recorded Future established connections between the widespread use of ShadowPad and iSoon, a group known for developing and selling custom malware variants. This relationship was further substantiated by telemetry data showing the threat actor dropping PlugX and ShadowPad samples in victim environments. Moreover, ShadowPad samples bore identical characteristics to those observed in a previous report on Earth Lusca. Anxun, a company involved with remote-control management systems, was linked to ShadowPad through a leaked white paper on GitHub, which revealed an IP address used as a C2 server in August 2021. Investigations into Anxun's activities confirmed its involvement with ShadowPad and a 2022 attack against Canadian software company Comm100. This suggests that Anxun develops or promotes tools frequently used by Chinese APT groups. Evidence points towards an insider being responsible for the breach, due to the specific nature of the information and how it was publicized. Further ties were found between ShadowPad, Winnti malware families, and i-SOON, as referenced in the US Justice Department's indictment of APT41 and Chengdu404. Both Earth Lusca and i-Soon have extensively used malware like ShadowPad and Winnti, indicating a shared toolkit among these threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PlugX
8
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
BISCUIT
1
"Biscuit" is a sophisticated malware variant that was notably used in an attack campaign titled "Operation Bitter Biscuit". This operation was first reported by AhnLab in October 2017, targeting entities in South Korea, Japan, India, and Russia. The offensive made use of the Bisonal remote access tr
Ta428
1
TA428 is a sophisticated malware toolkit associated with several cyber threat groups, including Bronze Union (also known as LuckyMouse or APT27) and BackdoorDiplomacy. The TA428 toolkit includes various malicious software like Albaniiutas (RemShell), which is specifically mentioned in an ESET report
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Backdoor
Espionage
Trojan
Linux
State Sponso...
Payload
Rat
Loader
Encryption
Symantec
Cobalt Strike
Implant
Chinese
Windows
Exploit
Vmware
Lateral Move...
Infiltration
State Sponso...
Github
ISOON
Shellcode
exploited
Antivirus
Cybercrime
Government
Vulnerability
Zimbra
Rootkit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PoisonplugUnspecified
2
None
AxiomaticasymptoteUnspecified
1
Axiomaticasymptote is a type of malware, a malicious software designed to infiltrate and damage computer systems without the user's knowledge. It typically operates in conjunction with other malware such as Cobalt Strike, Meterpreter, PlugX, Mythic, Metasploit, XtremeRAT, and CROSSWALK. These harmfu
TaurusUnspecified
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
KorplugUnspecified
1
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
Stately TaurusUnspecified
1
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
HyperBroUnspecified
1
HyperBro is a malicious software (malware) that has been utilized in a sophisticated cyber espionage campaign targeting semiconductor industries primarily in Taiwan, Hong Kong, and Singapore. This malware was discovered being used in conjunction with a lure purporting to be from the Taiwan Semicondu
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
NebulaeUnspecified
1
None
BisonalUnspecified
1
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file exec
KeyBoyUnspecified
1
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, deter
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
7
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chi
RedflyUnspecified
5
RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significan
APT41Unspecified
5
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, among other names, is a threat actor suspected to originate from China. With potential ties to the Chinese government, APT41 has been involved in complex cyber espionage operations since at least 2012, targeting organizations in at least
Winnti GroupUnspecified
2
The Winnti Group, a collective of several Chinese Advanced Persistent Threat (APT) groups including APT41, is renowned for its malicious cyber activities. First gaining notoriety for its attacks on computer game developers, the group has since been linked to high-level cyber espionage conducted by t
Bronze UniversityUnspecified
2
Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat
LanceflyUnspecified
2
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication secto
Earth LuscaUnspecified
2
Earth Lusca is a significant threat actor that has recently expanded its malicious arsenal with the SprySOCKS Linux malware, posing an increased risk to global cybersecurity. This group is known for executing actions with harmful intent, and could be composed of individuals, private companies, or go
RedhotelUnspecified
2
RedHotel, also known as Aquatic Panda, ControlX, and Bronze University, is a prolific espionage group that targets organizations of interest to the Chinese government. The group has been linked to Chinese state-sponsored hacking groups such as RedAlpha, Poison Carp, and APT27 (aka Budworm, LuckyMous
I-SoonUnspecified
2
i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. Thi
BariumUnspecified
1
Barium, also known as BRONZE ATLAS, APT41, TA415, and part of the Winnti Group, is a China-linked cyberespionage threat actor that has been active since at least 2007. Notable for its deployment of sophisticated malware such as ShadowPad and KEYPLUG, Barium has been implicated in numerous cyber atta
Bronze AtlasUnspecified
1
Bronze Atlas, also known as APT41, Winnti Group, or HOODOO, is a significant threat actor identified in the cybersecurity industry. The group has been involved in various malicious activities and has been tracked by Secureworks' Counter Threat Unit since at least 2007. According to Marc Burnard, a s
Volt TyphoonUnspecified
1
Volt Typhoon is a threat actor associated with the Chinese government, known for its sophisticated cyber espionage campaigns targeting critical infrastructure in the US. The group has demonstrated strong operational security and advanced techniques for reconnaissance and lateral movement, as evidenc
Red EchoUnspecified
1
Red Echo, also known as Redfly, is a subgroup within the larger threat actor group Winnti. This group has been identified as responsible for a series of cyber-attacks with malicious intent, targeting various entities globally. In a recent campaign, Red Echo managed to infiltrate and occupy the netwo
Mustang PandaUnspecified
1
Mustang Panda, also known as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and Stately Taurus, is a Chinese-aligned threat actor group that has been active since at least March 2022. Initially targeting the Asia-Pacific region, Mustang Panda has expanded its activities to E
CrosswalkUnspecified
1
Crosswalk, a threat actor in the cybersecurity industry, has been identified as utilizing FakeTLS in its traffic, presenting significant security concerns. This modular backdoor is implemented in shellcode, with the main payload being the Crosswalk backdoor itself. The malicious files associated wit
Earth KrahangUnspecified
1
Earth Krahang, an Advanced Persistent Threat (APT) group, has been identified as a significant threat actor in the cybersecurity landscape. This entity, possibly linked to Chinese state hacking contractor iSoon, has been responsible for breaching numerous government organizations worldwide. Trend Mi
BlackflyUnspecified
1
Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
BRONZE BUTLERUnspecified
1
Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov
BRONZE HUNTLEYUnspecified
1
Bronze Huntley is a recognized threat actor, known for its malicious activities in the cybersecurity domain. The group has been identified as using the ShadowPad DLL loader (secur32.dll), a notorious tool that allows them to inject malicious code into legitimate processes, thus evading detection and
CactusPeteUnspecified
1
CactusPete, also known as Tonto Team, is a Chinese-speaking cyber-espionage group that has been active since at least 2012. Characterized by medium-level technical capabilities, CactusPete has demonstrated a significant development pace, producing more than 20 samples per month. The group primarily
BITTERUnspecified
1
Bitter, also known as T-APT-17, is a suspected South Asian threat actor that has been involved in various cyber campaigns. The group has been active since at least August 2021, with its operations primarily targeting government personnel in Bangladesh through spear-phishing emails. The similarities
TickUnspecified
1
Tick is a threat actor, likely originating from the People's Republic of China, that has been associated with malicious activities in cyberspace. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have investigated the activities of this group, also known as BRONZE BUTLER. T
Tonto TeamUnspecified
1
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
Wicked PandaUnspecified
1
Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China, recognized for its dual espionage and cybercrime operations. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has identified Wicke
Earth AkhlutUnspecified
1
Earth Akhlut is a recognized threat actor, originating from China, known for its malicious activities in the realm of cybersecurity. Since 2019, it has been involved in distributing the Shadowpad malware, a sophisticated tool that has caused significant concern within the cybersecurity community. Th
Operation Bitter BiscuitUnspecified
1
Operation Bitter Biscuit, as reported by AhnLab, was a malicious campaign executed by a threat actor known as the Tonto Team. This operation targeted entities in South Korea, Japan, India, and Russia, with the initial report being published in October 2017. The main tools used in this cyber-attack w
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Korplug/plugxUnspecified
1
None
Winnti/pasteboyUnspecified
1
None
Source Document References
Information about the ShadowPad Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Secureworks
a year ago
ShadowPad Malware Analysis
Trend Micro
a year ago
Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
CERT-EU
a year ago
Higaisa or Winnti? APT41 backdoors, old and new
MITRE
a year ago
ShadowPad in corporate networks
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
InfoSecurity-magazine
a year ago
Chinese Hackers Infiltrate South American Diplomatic Networks
CERT-EU
a year ago
La Chine compterait 50 pirates informatiques pour chaque cyber-agent du FBI, le directeur du FBI d�nonce la menace cybern�tique de la Chine et demande plus de budget
Unit42
9 months ago
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Recorded Future
a year ago
2022 Adversary Infrastructure Report
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group
CERT-EU
a year ago
New NAPLISTENER Malware Used by REF2924 Group to Evade Network Detection
CERT-EU
a year ago
Hackers target Pakistani government, bank and telecom provider with China-made malware
Securityaffairs
9 months ago
Redfly group infiltrated an Asian national grid as long as six months
CERT-EU
9 months ago
Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign
InfoSecurity-magazine
a year ago
Chinese APT Favorite Backdoor Found in Pakistani Government App
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
MITRE
a year ago
CactusPete APT group’s updated Bisonal backdoor
DARKReading
9 months ago
China's Winnti APT Compromises National Grid in Asia for 6 Months
BankInfoSecurity
9 months ago
Chinese APT41 Implicated in Asian National Power Grid Hack