win.shadowpad (Back to overview)



Actor(s): APT23, APT41, APT17, DAGGER PANDA, Earth Lusca, Tonto Team, WET PANDA


There is no description at this point.

2024-03-18Trend MicroDaniel Lunghi, Joseph C Chen
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
DinodasRAT PlugX Reshell ShadowPad Earth Krahang
Anxun and Chinese APT Activity
2024-03-01HarfangLabHarfangLab CTI
A Comprehensive Analysis of i-SOON’s Commercial Offering
ShadowPad Winnti
2024-02-21YouTube (SentinelOne)Kris McConkey
LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor
9002 RAT PlugX ShadowPad Spyder Earth Lusca
2024-02-09Hunt.ioMichael R
Tracking ShadowPad Infrastructure Via Non-Standard Certificates
2024-01-09Recorded FutureInsikt Group
2023 Adversary Infrastructure Report
AsyncRAT Cobalt Strike Emotet PlugX ShadowPad
2023-11-07Youtube (Virus Bulletin)Daniel Lunghi
Possible supply chain attack targeting South Asian government delivers Shadowpad
2023-10-04Trend MicroDaniel Lunghi
Possible supply chain attack targeting Pakistan government delivers ShadowPad
2023-10-04Trend MicroDaniel Lunghi
Possible supply chain attack targeting Pakistan government delivers Shadowpad (Slides)
2023-09-22Palo Alto Networks Unit 42Lior Rochberger, Robert Falcone, Tom Fakterman
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Cobalt Strike MimiKatz RemCom ShadowPad TONESHELL
2023-09-12SymantecThreat Hunter Team
Redfly: Espionage Actors Continue to Target Critical Infrastructure
ShadowPad Redfly
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-07-14Trend MicroDaniel Lunghi
Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad
ShadowPad DriftingCloud Tonto Team
2023-05-15SymantecThreat Hunter Team
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly
2023-02-02ElasticAndrew Pease, Cyril François, Devon Kerr, Remco Sprooten, Salim Bitam, Seth Goodwin
Update to the REF2924 intrusion set and related campaigns
DoorMe ShadowPad SiestaGraph
2022-10-25VMware Threat Analysis UnitTakahiro Haruyama
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-30NCC GroupMichael Mullen, Nikolaos Pantazopoulos, William Backhouse
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
2022-09-26Youtube (Virus Bulletin)Takahiro Haruyama
Tracking the entire iceberg long term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-19Virus BulletinTakahiro Haruyama
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-13SymantecThreat Hunter Team
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-06ESET ResearchThibaut Passilly
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad Worok
ToddyCat: A Guided Journey through the Attacker's Infrastructure
ShadowPad ToddyCat
2022-06-27Kaspersky ICS CERTArtem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad
2022-05-17Positive TechnologiesPositive Technologies
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-12TEAMT5Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-02Sentinel LABSAmitai Ben Shushan Ehrlich, Joey Chen
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad Moshen Dragon
2022-04-08The RegisterLaura Dobberstein
China accused of cyberattacks on Indian power grid
2022-04-06Recorded FutureInsikt Group
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
2022-04-06Recorded FutureInsikt Group®
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)
2021 ICS OT Cybersecurity Year In Review
2022-02-15The Hacker NewsRavie Lakshmanan
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA
2022-02-15SecureworksCounter Threat Unit ResearchTeam
ShadowPad Malware Analysis
2022-01-17Trend MicroCedric Pernet, Daniel Lunghi, Gloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)
2021-12-16TEAMT5Aragorn Tseng, Charles Li, Peter Syu, Tom Lai
Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder
2021-12-08PWC UKAdam Prescott
Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
ShadowPad Earth Lusca
2021-11-19insomniacs(Medium)Asuna Amawaka
It’s a BEE! It’s a… no, it’s ShadowPad.
2021-11-04Youtube (Virus Bulletin)Joey Chen, Yi-Jhen Hsieh
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad
2021-10-26KasperskyKaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-09-01YouTube (Hack In The Box Security Conference)Joey Chen, Yi-Jhen Hsieh
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad
2021-08-23SentinelOneJoey Chen, Yi-Jhen Hsieh
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad
2021-08-19Sentinel LABSJoey Chen, Yi-Jhen Hsieh
ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
2021-08-12Sentinel LABSSentinelLabs
ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad Earth Lusca
2021-07-08YouTube (PT Product Update)Denis Kuvshinov
How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08PTSecurityDenis Kuvshinov
How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08Recorded FutureInsikt Group®
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-04-29NTTThreat Detection NTT Ltd.
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-29The RecordCatalin Cimpanu
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-02-28Recorded FutureInsikt Group®
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021-02-28Recorded FutureInsikt Group®
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-14PTSecurityPT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2020-12-10ESET ResearchMathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-11-23Youtube (OWASP DevSlop)Negar Shabab, Noushin Shabab
Compromised Compilers - A new perspective of supply chain cyber attacks
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-30YouTube (Kaspersky Tech)Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-14CrowdStrikeFalcon OverWatch Team
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-01-31ESET ResearchMathieu Tartare
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-04-23Kaspersky LabsAMR, GReAT
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2017-08-15Kaspersky LabsGReAT
ShadowPad in corporate networks
Yara Rules
[TLP:WHITE] win_shadowpad_auto (20230808 | Detects win.shadowpad.)
rule win_shadowpad_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.shadowpad."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { e8???????? 59 8d75dc a3???????? e8???????? 53 ff15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d75dc               | lea                 esi, [ebp - 0x24]
            //   a3????????           |                     
            //   e8????????           |                     
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_1 = { 5b c9 c3 55 8bec b8f8100000 e8???????? }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b8f8100000           | mov                 eax, 0x10f8
            //   e8????????           |                     

        $sequence_2 = { 8bec 53 57 ff7508 ff15???????? 8d7801 }
            // n = 6, score = 200
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   8d7801               | lea                 edi, [eax + 1]

        $sequence_3 = { 8d45e8 50 53 8d75d0 }
            // n = 4, score = 200
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8d75d0               | lea                 esi, [ebp - 0x30]

        $sequence_4 = { 7e25 8a0c56 8a445601 80e961 2c6a }
            // n = 5, score = 200
            //   7e25                 | jle                 0x27
            //   8a0c56               | mov                 cl, byte ptr [esi + edx*2]
            //   8a445601             | mov                 al, byte ptr [esi + edx*2 + 1]
            //   80e961               | sub                 cl, 0x61
            //   2c6a                 | sub                 al, 0x6a

        $sequence_5 = { 50 6a04 5f e8???????? 85c0 75ae 8d4310 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6a04                 | push                4
            //   5f                   | pop                 edi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75ae                 | jne                 0xffffffb0
            //   8d4310               | lea                 eax, [ebx + 0x10]

        $sequence_6 = { 83ec24 53 56 57 33ff 393d???????? }
            // n = 6, score = 200
            //   83ec24               | sub                 esp, 0x24
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   393d????????         |                     

        $sequence_7 = { e8???????? 8b1d???????? 50 ffd3 6800010000 668945f0 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   6800010000           | push                0x100
            //   668945f0             | mov                 word ptr [ebp - 0x10], ax

        $sequence_8 = { 8bfe 8d45e8 895de8 895dec 895df4 895df0 885df8 }
            // n = 7, score = 200
            //   8bfe                 | mov                 edi, esi
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   885df8               | mov                 byte ptr [ebp - 8], bl

        $sequence_9 = { 0fb639 c1ce08 83cf20 03f7 83c102 81f6a3d9357c 663919 }
            // n = 7, score = 200
            //   0fb639               | movzx               edi, byte ptr [ecx]
            //   c1ce08               | ror                 esi, 8
            //   83cf20               | or                  edi, 0x20
            //   03f7                 | add                 esi, edi
            //   83c102               | add                 ecx, 2
            //   81f6a3d9357c         | xor                 esi, 0x7c35d9a3
            //   663919               | cmp                 word ptr [ecx], bx

        7 of them and filesize < 188416
Download all Yara Rules