SYMBOLCOMMON_NAMEaka. SYNONYMS

DAGGER PANDA  (Back to overview)

aka: IceFog, Trident, RedFoxtrot, Red Wendigo, PLA Unit 69010

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.


Associated Families
win.shadowpad

References
2022-10-25VMware Threat Analysis UnitTakahiro Haruyama
@techreport{haruyama:20221025:tracking:1f60260, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}}, date = {2022-10-25}, institution = {VMware Threat Analysis Unit}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf}, language = {English}, urldate = {2022-11-01} } Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-30NCC GroupWilliam Backhouse, Michael Mullen, Nikolaos Pantazopoulos
@online{backhouse:20220930:glimpse:5194be6, author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos}, title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}}, date = {2022-09-30}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/}, language = {English}, urldate = {2022-10-04} } A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
ShadowPad
2022-09-19Virus BulletinTakahiro Haruyama
@techreport{haruyama:20220919:tracking:bffa146, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}}, date = {2022-09-19}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf}, language = {English}, urldate = {2022-11-01} } Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-13SymantecThreat Hunter Team
@online{team:20220913:new:2ff2e98, author = {Threat Hunter Team}, title = {{New Wave of Espionage Activity Targets Asian Governments}}, date = {2022-09-13}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments}, language = {English}, urldate = {2022-09-20} } New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-06ESET ResearchThibaut Passilly
@online{passilly:20220906:worok:0c106ac, author = {Thibaut Passilly}, title = {{Worok: The big picture}}, date = {2022-09-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/}, language = {English}, urldate = {2022-09-10} } Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad
2022-07-01RiskIQRiskIQ
@online{riskiq:20220701:toddycat:485d554, author = {RiskIQ}, title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}}, date = {2022-07-01}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/d8b749f2}, language = {English}, urldate = {2022-07-15} } ToddyCat: A Guided Journey through the Attacker's Infrastructure
ShadowPad ToddyCat
2022-06-27Kaspersky ICS CERTArtem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151, author = {Artem Snegirev and Kirill Kruglov}, title = {{Attacks on industrial control systems using ShadowPad}}, date = {2022-06-27}, organization = {Kaspersky ICS CERT}, url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/}, language = {English}, urldate = {2022-06-29} } Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad
2022-05-17Positive TechnologiesPositive Technologies
@online{technologies:20220517:space:abd655a, author = {Positive Technologies}, title = {{Space Pirates: analyzing the tools and connections of a new hacker group}}, date = {2022-05-17}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/}, language = {English}, urldate = {2022-05-25} } Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-12TEAMT5Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83, author = {Leon Chang and Silvia Yeh}, title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}}, date = {2022-05-12}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf}, language = {English}, urldate = {2022-08-08} } The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-02Sentinel LABSJoey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2, author = {Joey Chen and Amitai Ben Shushan Ehrlich}, title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}}, date = {2022-05-02}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/}, language = {English}, urldate = {2022-05-04} } Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:46707aa, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, language = {English}, urldate = {2022-04-29} } Cyber Threats 2021: A Year in Retrospect
APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
2022-04-08The RegisterLaura Dobberstein
@online{dobberstein:20220408:china:6626bbc, author = {Laura Dobberstein}, title = {{China accused of cyberattacks on Indian power grid}}, date = {2022-04-08}, organization = {The Register}, url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/}, language = {English}, urldate = {2022-04-12} } China accused of cyberattacks on Indian power grid
ShadowPad
2022-04-06Recorded FutureInsikt Group®
@techreport{group:20220406:continued:dcee8d2, author = {Insikt Group®}, title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}}, date = {2022-04-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf}, language = {English}, urldate = {2022-08-05} } Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)
ShadowPad
2022-04-06Recorded FutureInsikt Group
@online{group:20220406:continued:cdf57e5, author = {Insikt Group}, title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}}, date = {2022-04-06}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/}, language = {English}, urldate = {2022-04-12} } Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
ShadowPad
2022-02-23DragosDragos
@techreport{dragos:20220223:2021:539931a, author = {Dragos}, title = {{2021 ICS OT Cybersecurity Year In Review}}, date = {2022-02-23}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf}, language = {English}, urldate = {2022-04-12} } 2021 ICS OT Cybersecurity Year In Review
ShadowPad
2022-02-15The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220215:researchers:834fc13, author = {Ravie Lakshmanan}, title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}}, date = {2022-02-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html}, language = {English}, urldate = {2022-02-17} } Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA
ShadowPad
2022-02-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220215:shadowpad:cd3fa10, author = {Counter Threat Unit ResearchTeam}, title = {{ShadowPad Malware Analysis}}, date = {2022-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/shadowpad-malware-analysis}, language = {English}, urldate = {2022-02-17} } ShadowPad Malware Analysis
ShadowPad
2022-01-17Trend MicroJoseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
@techreport{chen:20220117:delving:4cd2b1c, author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet}, title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}}, date = {2022-01-17}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf}, language = {English}, urldate = {2022-07-25} } Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2021-12-17FBIFBI
@techreport{fbi:20211217:ac000159mw:03082da, author = {FBI}, title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}}, date = {2021-12-17}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211220.pdf}, language = {English}, urldate = {2021-12-23} } AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)
ShadowPad
2021-12-08PWC UKAdam Prescott
@online{prescott:20211208:chasing:3921a35, author = {Adam Prescott}, title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}}, date = {2021-12-08}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html}, language = {English}, urldate = {2021-12-13} } Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
ShadowPad Earth Lusca
2021-11-19insomniacs(Medium)Asuna Amawaka
@online{amawaka:20211119:its:bd24ebf, author = {Asuna Amawaka}, title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}}, date = {2021-11-19}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2}, language = {English}, urldate = {2021-11-25} } It’s a BEE! It’s a… no, it’s ShadowPad.
ShadowPad
2021-11-04Youtube (Virus Bulletin)Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20211104:shadowpad:8dbd5c7, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}}, date = {2021-11-04}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=r1zAVX_HnJg}, language = {English}, urldate = {2022-08-08} } ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad
2021-10-26KasperskyKaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-09-01YouTube (Hack In The Box Security Conference)Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210901:shadowpad:f9ae111, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}}, date = {2021-09-01}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U}, language = {English}, urldate = {2022-08-08} } SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad
2021-08-23SentinelOneYi-Jhen Hsieh, Joey Chen
@techreport{hsieh:20210823:shadowpad:58780f1, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-23}, institution = {SentinelOne}, url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf}, language = {English}, urldate = {2022-07-18} } ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad
2021-08-19Sentinel LABSYi-Jhen Hsieh, Joey Chen
@online{hsieh:20210819:shadowpad:04bbb1e, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-19}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/}, language = {English}, urldate = {2021-08-23} } ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad
2021-08-12Sentinel LABSSentinelLabs
@techreport{sentinellabs:20210812:shadowpad:61c0a20, author = {SentinelLabs}, title = {{ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-12}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf}, language = {English}, urldate = {2022-07-25} } ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad Earth Lusca
2021-07-08YouTube (PT Product Update)Denis Kuvshinov
@online{kuvshinov:20210708:how:ea6d201, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, organization = {YouTube (PT Product Update)}, url = {https://www.youtube.com/watch?v=_fstHQSK-kk}, language = {Russian}, urldate = {2021-09-20} } How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08Recorded FutureInsikt Group®
@online{group:20210708:chinese:98d34d3, author = {Insikt Group®}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/}, language = {English}, urldate = {2021-07-12} } Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-07-08PTSecurityDenis Kuvshinov
@techreport{kuvshinov:20210708:how:2e5a659, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf}, language = {Russian}, urldate = {2021-09-20} } How winnti APT grouping works
Korlia ShadowPad Winnti
2021-06-16Recorded FutureInsikt Group®
@techreport{group:20210616:threat:d585785, author = {Insikt Group®}, title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}}, date = {2021-06-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf}, language = {English}, urldate = {2022-07-29} } Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-29The RecordCatalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-02-28Recorded FutureInsikt Group®
@techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021-02-28Recorded FutureInsikt Group®
@online{group:20210228:chinalinked:ce3b62d, author = {Insikt Group®}, title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/}, language = {English}, urldate = {2021-03-31} } China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-11-23Youtube (OWASP DevSlop)Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417, author = {Negar Shabab and Noushin Shabab}, title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}}, date = {2020-11-23}, organization = {Youtube (OWASP DevSlop)}, url = {https://www.youtube.com/watch?v=55kaaMGBARM}, language = {English}, urldate = {2020-11-23} } Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-08PTSecurityPTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{ShadowPad: new activity from the Winnti group}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf}, language = {English}, urldate = {2020-10-08} } ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
@online{mokbel:20190422:cc:23b1202, author = {Mohamad Mokbel}, title = {{C/C++ Runtime Library Code Tampering in Supply Chain}}, date = {2019-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html}, language = {English}, urldate = {2021-09-19} } C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:icefog:b2b4284, author = {Cyber Operations Tracker}, title = {{Icefog}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/icefog}, language = {English}, urldate = {2019-12-20} } Icefog
DAGGER PANDA
2018-03Kaspersky LabsGReAT
@techreport{great:201803:icefog:2e293e6, author = {GReAT}, title = {{The 'Icefog' APT: A Tale of Cloak and Three Daggers}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf}, language = {English}, urldate = {2020-01-13} } The 'Icefog' APT: A Tale of Cloak and Three Daggers
DAGGER PANDA
2017-08-15Kaspersky LabsGReAT
@online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks
ShadowPad
2014-01-14Kaspersky LabsVitaly Kamluk, Igor Soumenkov, Costin Raiu
@online{kamluk:20140114:icefog:bc79c50, author = {Vitaly Kamluk and Igor Soumenkov and Costin Raiu}, title = {{The Icefog APT Hits US Targets With Java Backdoor}}, date = {2014-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/}, language = {English}, urldate = {2019-12-20} } The Icefog APT Hits US Targets With Java Backdoor
DAGGER PANDA
2013-09-25Kaspersky LabsGReAT
@online{great:20130925:icefog:7f2dd2b, author = {GReAT}, title = {{The Icefog APT: A Tale of Cloak and Three Daggers}}, date = {2013-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/}, language = {English}, urldate = {2019-12-20} } The Icefog APT: A Tale of Cloak and Three Daggers
DAGGER PANDA

Credits: MISP Project