Chinese Intelligence Groups discovered using the ShadowPad Malware

August 26, 2021
Chinese Intelligence Groups China ShadowPad Malware

Five groups of different Chinese intelligence have been executing a notorious Windows backdoor malware called ShadowPad with their operation since the year 2017, which enables threat actors to upload files, create processes, store information, steal private data, and download malicious elements. 

According to researchers, many threat groups have found the use of ShadowPad malware as significantly convenient due to how it lessens their maintenance and development as cyber attackers. In fact, these threat groups have even halted their own development of backdoors since figuring out the efficacy of ShadowPad throughout their operations. 


The emergence of ShadowPad in the market began from the rise of supply chain occurrences as it targets ASUS, CCleaner, and NetSarang.


It pushed the groups to improve their strategies and enhance their methods, such as advanced anti-detection systems and techniques. 

Many critical infrastructures and organizations in different countries have been pointed out regarding the most recent cyberattacks that involve the execution of ShadowPad. These countries include Pakistan, India, Hong Kong, and some other countries around central Asia. In addition, several groups of prolific cyber threat espionage have been reported to share the implant of the malware, including APT41, RedEcho, Tick, RedFoxtrot, and some smaller groups such as Fishmonger, Redbonus, and Redkanku. 

The ShadowPad malware’s features decrypt and load a Root plugin in memory to control the charging of added modules throughout its runtime. This feature is a supplement to deploying more plugins coming from the C2 server or the command-and-control. Furthermore, the process will allow them to integrate additional features not initially developed in default from the malware. As of date, there are at least 22 kinds of distinctive plugins that have been identified.  

A Delphi-based controller has been capturing the infected machines technically used for backdoor communications, renovating the command-and-control server, and dealing with the plugins. Moreover, each plugin developed for ShadowPad is sold separately rather than being offered as full bundles that comprise all the modules.  

Researchers have also added that they can consider the rise of the ShadowPad malware as a suitable opportunity for the threat actors to stop developing their own backdoors. 

About the author

Leave a Reply