Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.
2023-09-12 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20230912:redfly:b57156b,
author = {Threat Hunter Team},
title = {{Redfly: Espionage Actors Continue to Target Critical Infrastructure}},
date = {2023-09-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks},
language = {English},
urldate = {2023-12-04}
}
Redfly: Espionage Actors Continue to Target Critical Infrastructure
ShadowPad |
2023-08-07 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20230807:redhotel:ee4dd20,
author = {Insikt Group},
title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}},
date = {2023-08-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf},
language = {English},
urldate = {2023-08-09}
}
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca |
2023-07-14 ⋅ Trend Micro ⋅ Daniel Lunghi
@online{lunghi:20230714:possible:94fad78,
author = {Daniel Lunghi},
title = {{Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad}},
date = {2023-07-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html},
language = {English},
urldate = {2023-09-04}
}
Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad
ShadowPad |
2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20230515:lancefly:49fd53e,
author = {Threat Hunter Team},
title = {{Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors}},
date = {2023-05-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor},
language = {English},
urldate = {2023-05-26}
}
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly |
2023-02-02 ⋅ Elastic ⋅ Salim Bitam, Remco Sprooten, Cyril François, Andrew Pease, Devon Kerr, Seth Goodwin
@online{bitam:20230202:update:57ea3a2,
author = {Salim Bitam and Remco Sprooten and Cyril François and Andrew Pease and Devon Kerr and Seth Goodwin},
title = {{Update to the REF2924 intrusion set and related campaigns}},
date = {2023-02-02},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns},
language = {English},
urldate = {2023-03-21}
}
Update to the REF2924 intrusion set and related campaigns
DoorMe ShadowPad SiestaGraph |
2022-10-25 ⋅ VMware Threat Analysis Unit ⋅ Takahiro Haruyama
@techreport{haruyama:20221025:tracking:1f60260,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}},
date = {2022-10-25},
institution = {VMware Threat Analysis Unit},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti |
2022-09-30 ⋅ NCC Group ⋅ William Backhouse, Michael Mullen, Nikolaos Pantazopoulos
@online{backhouse:20220930:glimpse:5194be6,
author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos},
title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}},
date = {2022-09-30},
organization = {NCC Group},
url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/},
language = {English},
urldate = {2022-10-04}
}
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
ShadowPad |
2022-09-19 ⋅ Virus Bulletin ⋅ Takahiro Haruyama
@techreport{haruyama:20220919:tracking:bffa146,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}},
date = {2022-09-19},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly
@online{passilly:20220906:worok:0c106ac,
author = {Thibaut Passilly},
title = {{Worok: The big picture}},
date = {2022-09-06},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/},
language = {English},
urldate = {2022-09-10}
}
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad Worok |
2022-07-01 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20220701:toddycat:485d554,
author = {RiskIQ},
title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}},
date = {2022-07-01},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/d8b749f2},
language = {English},
urldate = {2022-07-15}
}
ToddyCat: A Guided Journey through the Attacker's Infrastructure
ShadowPad ToddyCat |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
@online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83,
author = {Leon Chang and Silvia Yeh},
title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}},
date = {2022-05-12},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf},
language = {English},
urldate = {2022-08-08}
}
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad |
2022-04-28 ⋅ PWC ⋅ PWC UK
@techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2023-07-02}
}
Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-04-08 ⋅ The Register ⋅ Laura Dobberstein
@online{dobberstein:20220408:china:6626bbc,
author = {Laura Dobberstein},
title = {{China accused of cyberattacks on Indian power grid}},
date = {2022-04-08},
organization = {The Register},
url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/},
language = {English},
urldate = {2022-04-12}
}
China accused of cyberattacks on Indian power grid
ShadowPad |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220406:continued:dcee8d2,
author = {Insikt Group®},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}},
date = {2022-04-06},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf},
language = {English},
urldate = {2022-08-05}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)
ShadowPad |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group
@online{group:20220406:continued:cdf57e5,
author = {Insikt Group},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}},
date = {2022-04-06},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/},
language = {English},
urldate = {2022-04-12}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
ShadowPad |
2022-02-23 ⋅ Dragos ⋅ Dragos
@techreport{dragos:20220223:2021:539931a,
author = {Dragos},
title = {{2021 ICS OT Cybersecurity Year In Review}},
date = {2022-02-23},
institution = {Dragos},
url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf},
language = {English},
urldate = {2022-04-12}
}
2021 ICS OT Cybersecurity Year In Review
ShadowPad |
2022-02-15 ⋅ The Hacker News ⋅ Ravie Lakshmanan
@online{lakshmanan:20220215:researchers:834fc13,
author = {Ravie Lakshmanan},
title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}},
date = {2022-02-15},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html},
language = {English},
urldate = {2022-02-17}
}
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA
ShadowPad |
2022-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220215:shadowpad:cd3fa10,
author = {Counter Threat Unit ResearchTeam},
title = {{ShadowPad Malware Analysis}},
date = {2022-02-15},
organization = {Secureworks},
url = {https://www.secureworks.com/research/shadowpad-malware-analysis},
language = {English},
urldate = {2022-02-17}
}
ShadowPad Malware Analysis
ShadowPad |
2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
@techreport{chen:20220117:delving:4cd2b1c,
author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet},
title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}},
date = {2022-01-17},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf},
language = {English},
urldate = {2022-07-25}
}
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca |
2021-12-17 ⋅ FBI ⋅ FBI
@techreport{fbi:20211217:ac000159mw:03082da,
author = {FBI},
title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}},
date = {2021-12-17},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/211220.pdf},
language = {English},
urldate = {2021-12-23}
}
AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)
ShadowPad |
2021-12-16 ⋅ TEAMT5 ⋅ Charles Li, Aragorn Tseng, Peter Syu, Tom Lai
@online{li:20211216:winnti:adce3fa,
author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai},
title = {{Winnti is Coming - Evolution after Prosecution}},
date = {2021-12-16},
organization = {TEAMT5},
url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021},
language = {English},
urldate = {2023-04-28}
}
Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder |
2021-12-08 ⋅ PWC UK ⋅ Adam Prescott
@online{prescott:20211208:chasing:3921a35,
author = {Adam Prescott},
title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}},
date = {2021-12-08},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html},
language = {English},
urldate = {2021-12-13}
}
Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
ShadowPad Earth Lusca |
2021-11-19 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
@online{amawaka:20211119:its:bd24ebf,
author = {Asuna Amawaka},
title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}},
date = {2021-11-19},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2},
language = {English},
urldate = {2021-11-25}
}
It’s a BEE! It’s a… no, it’s ShadowPad.
ShadowPad |
2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20211104:shadowpad:8dbd5c7,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}},
date = {2021-11-04},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=r1zAVX_HnJg},
language = {English},
urldate = {2022-08-08}
}
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad |
2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f,
author = {Kaspersky Lab ICS CERT},
title = {{APT attacks on industrial organizations in H1 2021}},
date = {2021-10-26},
institution = {Kaspersky},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf},
language = {English},
urldate = {2021-11-08}
}
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210901:shadowpad:f9ae111,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}},
date = {2021-09-01},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U},
language = {English},
urldate = {2022-08-08}
}
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad |
2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen
@techreport{hsieh:20210823:shadowpad:58780f1,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-23},
institution = {SentinelOne},
url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf},
language = {English},
urldate = {2022-07-18}
}
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad |
2021-08-19 ⋅ Sentinel LABS ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210819:shadowpad:04bbb1e,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-19},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/},
language = {English},
urldate = {2021-08-23}
}
ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad |
2021-08-12 ⋅ Sentinel LABS ⋅ SentinelLabs
@techreport{sentinellabs:20210812:shadowpad:61c0a20,
author = {SentinelLabs},
title = {{ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-12},
institution = {Sentinel LABS},
url = {https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf},
language = {English},
urldate = {2022-07-25}
}
ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad Earth Lusca |
2021-07-08 ⋅ YouTube (PT Product Update) ⋅ Denis Kuvshinov
@online{kuvshinov:20210708:how:ea6d201,
author = {Denis Kuvshinov},
title = {{How winnti APT grouping works}},
date = {2021-07-08},
organization = {YouTube (PT Product Update)},
url = {https://www.youtube.com/watch?v=_fstHQSK-kk},
language = {Russian},
urldate = {2021-09-20}
}
How winnti APT grouping works
Korlia ShadowPad Winnti |
2021-07-08 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210708:chinese:98d34d3,
author = {Insikt Group®},
title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}},
date = {2021-07-08},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/},
language = {English},
urldate = {2021-07-12}
}
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti |
2021-07-08 ⋅ PTSecurity ⋅ Denis Kuvshinov
@techreport{kuvshinov:20210708:how:2e5a659,
author = {Denis Kuvshinov},
title = {{How winnti APT grouping works}},
date = {2021-07-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf},
language = {Russian},
urldate = {2021-09-20}
}
How winnti APT grouping works
Korlia ShadowPad Winnti |
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210616:threat:d585785,
author = {Insikt Group®},
title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}},
date = {2021-06-16},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf},
language = {English},
urldate = {2022-07-29}
}
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4,
author = {Threat Detection NTT Ltd.},
title = {{The Operations of Winnti group}},
date = {2021-04-29},
institution = {NTT},
url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf},
language = {English},
urldate = {2021-08-09}
}
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-04}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210228:chinalinked:ce3b62d,
author = {Insikt Group®},
title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/},
language = {English},
urldate = {2021-03-31}
}
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger |
2020-11-23 ⋅ Youtube (OWASP DevSlop) ⋅ Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417,
author = {Negar Shabab and Noushin Shabab},
title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}},
date = {2020-11-23},
organization = {Youtube (OWASP DevSlop)},
url = {https://www.youtube.com/watch?v=55kaaMGBARM},
language = {English},
urldate = {2020-11-23}
}
Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-08 ⋅ PTSecurity ⋅ PTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45,
author = {PTSecurity},
title = {{ShadowPad: new activity from the Winnti group}},
date = {2020-09-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf},
language = {English},
urldate = {2020-10-08}
}
ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec,
author = {Falcon OverWatch Team},
title = {{Manufacturing Industry in the Adversaries’ Crosshairs}},
date = {2020-07-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/},
language = {English},
urldate = {2020-07-23}
}
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20200131:winnti:9f891e4,
author = {Mathieu Tartare},
title = {{Winnti Group targeting universities in Hong Kong}},
date = {2020-01-31},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/},
language = {English},
urldate = {2020-02-03}
}
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti |
2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8,
author = {Marc-Etienne M.Léveillé and Mathieu Tartare},
title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}},
date = {2019-10-07},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf},
language = {English},
urldate = {2020-01-10}
}
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-04-23 ⋅ Kaspersky Labs ⋅ GReAT, AMR
@online{great:20190423:operation:20b8f83,
author = {GReAT and AMR},
title = {{Operation ShadowHammer: a high-profile supply chain attack}},
date = {2019-04-23},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/},
language = {English},
urldate = {2019-12-20}
}
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad |
2019-04-22 ⋅ Trend Micro ⋅ Mohamad Mokbel
@online{mokbel:20190422:cc:23b1202,
author = {Mohamad Mokbel},
title = {{C/C++ Runtime Library Code Tampering in Supply Chain}},
date = {2019-04-22},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html},
language = {English},
urldate = {2021-09-19}
}
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:icefog:b2b4284,
author = {Cyber Operations Tracker},
title = {{Icefog}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/icefog},
language = {English},
urldate = {2019-12-20}
}
Icefog
DAGGER PANDA |
2018-03 ⋅ Kaspersky Labs ⋅ GReAT
@techreport{great:201803:icefog:2e293e6,
author = {GReAT},
title = {{The 'Icefog' APT: A Tale of Cloak and Three Daggers}},
date = {2018-03},
institution = {Kaspersky Labs},
url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf},
language = {English},
urldate = {2020-01-13}
}
The 'Icefog' APT: A Tale of Cloak and Three Daggers
DAGGER PANDA |
2017-08-15 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20170815:shadowpad:3d5b9a0,
author = {GReAT},
title = {{ShadowPad in corporate networks}},
date = {2017-08-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/shadowpad-in-corporate-networks/81432/},
language = {English},
urldate = {2019-12-20}
}
ShadowPad in corporate networks
ShadowPad |
2014-01-14 ⋅ Kaspersky Labs ⋅ Vitaly Kamluk, Igor Soumenkov, Costin Raiu
@online{kamluk:20140114:icefog:bc79c50,
author = {Vitaly Kamluk and Igor Soumenkov and Costin Raiu},
title = {{The Icefog APT Hits US Targets With Java Backdoor}},
date = {2014-01-14},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/},
language = {English},
urldate = {2019-12-20}
}
The Icefog APT Hits US Targets With Java Backdoor
DAGGER PANDA |
2013-09-25 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20130925:icefog:7f2dd2b,
author = {GReAT},
title = {{The Icefog APT: A Tale of Cloak and Three Daggers}},
date = {2013-09-25},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/},
language = {English},
urldate = {2019-12-20}
}
The Icefog APT: A Tale of Cloak and Three Daggers
DAGGER PANDA |