SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowpad (Back to overview)

ShadowPad

aka: POISONPLUG.SHADOW, XShellGhost

Actor(s): APT23, APT41, Axiom, DAGGER PANDA, Earth Lusca, Tonto Team, WET PANDA

There is no description at this point.

References
2022-10-25VMware Threat Analysis UnitTakahiro Haruyama
@techreport{haruyama:20221025:tracking:1f60260, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}}, date = {2022-10-25}, institution = {VMware Threat Analysis Unit}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf}, language = {English}, urldate = {2022-11-01} } Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-30NCC GroupWilliam Backhouse, Michael Mullen, Nikolaos Pantazopoulos
@online{backhouse:20220930:glimpse:5194be6, author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos}, title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}}, date = {2022-09-30}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/}, language = {English}, urldate = {2022-10-04} } A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
ShadowPad
2022-09-19Virus BulletinTakahiro Haruyama
@techreport{haruyama:20220919:tracking:bffa146, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}}, date = {2022-09-19}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf}, language = {English}, urldate = {2022-11-01} } Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-13SymantecThreat Hunter Team
@online{team:20220913:new:2ff2e98, author = {Threat Hunter Team}, title = {{New Wave of Espionage Activity Targets Asian Governments}}, date = {2022-09-13}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments}, language = {English}, urldate = {2022-09-20} } New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-06ESET ResearchThibaut Passilly
@online{passilly:20220906:worok:0c106ac, author = {Thibaut Passilly}, title = {{Worok: The big picture}}, date = {2022-09-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/}, language = {English}, urldate = {2022-09-10} } Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad
2022-07-01RiskIQRiskIQ
@online{riskiq:20220701:toddycat:485d554, author = {RiskIQ}, title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}}, date = {2022-07-01}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/d8b749f2}, language = {English}, urldate = {2022-07-15} } ToddyCat: A Guided Journey through the Attacker's Infrastructure
ShadowPad ToddyCat
2022-06-27Kaspersky ICS CERTArtem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151, author = {Artem Snegirev and Kirill Kruglov}, title = {{Attacks on industrial control systems using ShadowPad}}, date = {2022-06-27}, organization = {Kaspersky ICS CERT}, url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/}, language = {English}, urldate = {2022-06-29} } Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad
2022-05-17Positive TechnologiesPositive Technologies
@online{technologies:20220517:space:abd655a, author = {Positive Technologies}, title = {{Space Pirates: analyzing the tools and connections of a new hacker group}}, date = {2022-05-17}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/}, language = {English}, urldate = {2022-05-25} } Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-12TEAMT5Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83, author = {Leon Chang and Silvia Yeh}, title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}}, date = {2022-05-12}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf}, language = {English}, urldate = {2022-08-08} } The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-02Sentinel LABSJoey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2, author = {Joey Chen and Amitai Ben Shushan Ehrlich}, title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}}, date = {2022-05-02}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/}, language = {English}, urldate = {2022-05-04} } Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad
2022-04-08The RegisterLaura Dobberstein
@online{dobberstein:20220408:china:6626bbc, author = {Laura Dobberstein}, title = {{China accused of cyberattacks on Indian power grid}}, date = {2022-04-08}, organization = {The Register}, url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/}, language = {English}, urldate = {2022-04-12} } China accused of cyberattacks on Indian power grid
ShadowPad
2022-04-06Recorded FutureInsikt Group®
@techreport{group:20220406:continued:dcee8d2, author = {Insikt Group®}, title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}}, date = {2022-04-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf}, language = {English}, urldate = {2022-08-05} } Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)
ShadowPad
2022-04-06Recorded FutureInsikt Group
@online{group:20220406:continued:cdf57e5, author = {Insikt Group}, title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}}, date = {2022-04-06}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/}, language = {English}, urldate = {2022-04-12} } Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
ShadowPad
2022-02-23DragosDragos
@techreport{dragos:20220223:2021:539931a, author = {Dragos}, title = {{2021 ICS OT Cybersecurity Year In Review}}, date = {2022-02-23}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf}, language = {English}, urldate = {2022-04-12} } 2021 ICS OT Cybersecurity Year In Review
ShadowPad
2022-02-15The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220215:researchers:834fc13, author = {Ravie Lakshmanan}, title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}}, date = {2022-02-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html}, language = {English}, urldate = {2022-02-17} } Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA
ShadowPad
2022-02-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220215:shadowpad:cd3fa10, author = {Counter Threat Unit ResearchTeam}, title = {{ShadowPad Malware Analysis}}, date = {2022-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/shadowpad-malware-analysis}, language = {English}, urldate = {2022-02-17} } ShadowPad Malware Analysis
ShadowPad
2022-01-17Trend MicroJoseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
@techreport{chen:20220117:delving:4cd2b1c, author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet}, title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}}, date = {2022-01-17}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf}, language = {English}, urldate = {2022-07-25} } Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2021-12-17FBIFBI
@techreport{fbi:20211217:ac000159mw:03082da, author = {FBI}, title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}}, date = {2021-12-17}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211220.pdf}, language = {English}, urldate = {2021-12-23} } AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)
ShadowPad
2021-12-08PWC UKAdam Prescott
@online{prescott:20211208:chasing:3921a35, author = {Adam Prescott}, title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}}, date = {2021-12-08}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html}, language = {English}, urldate = {2021-12-13} } Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
ShadowPad Earth Lusca
2021-11-19insomniacs(Medium)Asuna Amawaka
@online{amawaka:20211119:its:bd24ebf, author = {Asuna Amawaka}, title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}}, date = {2021-11-19}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2}, language = {English}, urldate = {2021-11-25} } It’s a BEE! It’s a… no, it’s ShadowPad.
ShadowPad
2021-11-04Youtube (Virus Bulletin)Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20211104:shadowpad:8dbd5c7, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}}, date = {2021-11-04}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=r1zAVX_HnJg}, language = {English}, urldate = {2022-08-08} } ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad
2021-10-26KasperskyKaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-09-01YouTube (Hack In The Box Security Conference)Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210901:shadowpad:f9ae111, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}}, date = {2021-09-01}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U}, language = {English}, urldate = {2022-08-08} } SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad
2021-08-23SentinelOneYi-Jhen Hsieh, Joey Chen
@techreport{hsieh:20210823:shadowpad:58780f1, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-23}, institution = {SentinelOne}, url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf}, language = {English}, urldate = {2022-07-18} } ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad
2021-08-19Sentinel LABSYi-Jhen Hsieh, Joey Chen
@online{hsieh:20210819:shadowpad:04bbb1e, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-19}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/}, language = {English}, urldate = {2021-08-23} } ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad
2021-08-12Sentinel LABSSentinelLabs
@techreport{sentinellabs:20210812:shadowpad:61c0a20, author = {SentinelLabs}, title = {{ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-12}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf}, language = {English}, urldate = {2022-07-25} } ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad Earth Lusca
2021-07-08YouTube (PT Product Update)Denis Kuvshinov
@online{kuvshinov:20210708:how:ea6d201, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, organization = {YouTube (PT Product Update)}, url = {https://www.youtube.com/watch?v=_fstHQSK-kk}, language = {Russian}, urldate = {2021-09-20} } How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08Recorded FutureInsikt Group®
@online{group:20210708:chinese:98d34d3, author = {Insikt Group®}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/}, language = {English}, urldate = {2021-07-12} } Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-07-08PTSecurityDenis Kuvshinov
@techreport{kuvshinov:20210708:how:2e5a659, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf}, language = {Russian}, urldate = {2021-09-20} } How winnti APT grouping works
Korlia ShadowPad Winnti
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-29The RecordCatalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-02-28Recorded FutureInsikt Group®
@techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021-02-28Recorded FutureInsikt Group®
@online{group:20210228:chinalinked:ce3b62d, author = {Insikt Group®}, title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/}, language = {English}, urldate = {2021-03-31} } China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-11-23Youtube (OWASP DevSlop)Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417, author = {Negar Shabab and Noushin Shabab}, title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}}, date = {2020-11-23}, organization = {Youtube (OWASP DevSlop)}, url = {https://www.youtube.com/watch?v=55kaaMGBARM}, language = {English}, urldate = {2020-11-23} } Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-08PTSecurityPTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{ShadowPad: new activity from the Winnti group}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf}, language = {English}, urldate = {2020-10-08} } ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
@online{mokbel:20190422:cc:23b1202, author = {Mohamad Mokbel}, title = {{C/C++ Runtime Library Code Tampering in Supply Chain}}, date = {2019-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html}, language = {English}, urldate = {2021-09-19} } C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2017-08-15Kaspersky LabsGReAT
@online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks
ShadowPad
Yara Rules
[TLP:WHITE] win_shadowpad_auto (20230125 | Detects win.shadowpad.)
rule win_shadowpad_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.shadowpad."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 885d0c e8???????? 8b45f4 0fb6fb }
            // n = 4, score = 200
            //   885d0c               | mov                 byte ptr [ebp + 0xc], bl
            //   e8????????           |                     
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0fb6fb               | movzx               edi, bl

        $sequence_1 = { 8d8590efffff 50 ffd7 8d45bc 50 8d4590 50 }
            // n = 7, score = 200
            //   8d8590efffff         | lea                 eax, [ebp - 0x1070]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d45bc               | lea                 eax, [ebp - 0x44]
            //   50                   | push                eax
            //   8d4590               | lea                 eax, [ebp - 0x70]
            //   50                   | push                eax

        $sequence_2 = { 33d2 85ff 7e25 8a0c56 8a445601 80e961 2c6a }
            // n = 7, score = 200
            //   33d2                 | xor                 edx, edx
            //   85ff                 | test                edi, edi
            //   7e25                 | jle                 0x27
            //   8a0c56               | mov                 cl, byte ptr [esi + edx*2]
            //   8a445601             | mov                 al, byte ptr [esi + edx*2 + 1]
            //   80e961               | sub                 cl, 0x61
            //   2c6a                 | sub                 al, 0x6a

        $sequence_3 = { e8???????? 8b06 0fb60c18 8d440101 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   0fb60c18             | movzx               ecx, byte ptr [eax + ebx]
            //   8d440101             | lea                 eax, [ecx + eax + 1]

        $sequence_4 = { 7418 4a 7552 8b55fc 69d28f201c01 bb8155bfb1 2bda }
            // n = 7, score = 200
            //   7418                 | je                  0x1a
            //   4a                   | dec                 edx
            //   7552                 | jne                 0x54
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   69d28f201c01         | imul                edx, edx, 0x11c208f
            //   bb8155bfb1           | mov                 ebx, 0xb1bf5581
            //   2bda                 | sub                 ebx, edx

        $sequence_5 = { 85c0 75cf 33c0 8d4de8 e8???????? }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   75cf                 | jne                 0xffffffd1
            //   33c0                 | xor                 eax, eax
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     

        $sequence_6 = { 3916 7f58 83f801 7e53 }
            // n = 4, score = 200
            //   3916                 | cmp                 dword ptr [esi], edx
            //   7f58                 | jg                  0x5a
            //   83f801               | cmp                 eax, 1
            //   7e53                 | jle                 0x55

        $sequence_7 = { e8???????? 8b1d???????? 50 ffd3 6800010000 668945f0 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   6800010000           | push                0x100
            //   668945f0             | mov                 word ptr [ebp - 0x10], ax

        $sequence_8 = { 50 47 e8???????? 85c0 75c3 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   47                   | inc                 edi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75c3                 | jne                 0xffffffc5

        $sequence_9 = { 8d843500ffffff 50 e8???????? 8b450c 03fb }
            // n = 5, score = 200
            //   8d843500ffffff       | lea                 eax, [ebp + esi - 0x100]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   03fb                 | add                 edi, ebx

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules