ShadowPad RAT operator, DEV-0147, has targeted the diplomatic organisations in South America in their recent cybercriminal operation. DEV-0147 is a Chinese state-sponsored threat group that seeks a target that benefits its beneficiary’s interest.
Earlier this week, researchers stated on social media that these attackers’ new operation represents the sudden expansion of the group’s data exfiltration campaigns. The previous attacks from this group are mainly from Europe and Asia; hence they might have started infecting other regions because of this attack against South America.
ShadowPad RAT has always been involved with Chinese-speaking threat groups.
According to investigations, the DEV-0147 launched the ShadowPad RAT since it has been a standard hacking tool for China-based attackers. This RAT could establish persistence and deploy the QuasarLoader as an additional loader to download and run subsequent malware strains.
Further investigation revealed that Microsoft 365 Defender detected these Chinese-sponsored attacks via Microsoft Defender for Identity and Defender for Endpoint. Hence, cybersecurity experts suggest that organisations enforce a multi-factor authentication MFA to their security protocols.
A researcher revealed that DEV-0147 is not the only threat group leveraging ShadowPad in recent campaigns. In June last year, different Chinese threat actors used the RAT to target outdated MS Exchange servers in several Asian nations.
In addition, some researchers noticed the evolution of ShadowPad as it came from the PlugX malware. The Chinese-based threat groups affiliated with the People’s Liberation Army and Ministry of State Security have been the most notorious hackers that frequently leveraged the ShadowPad RAT.
The latest evidence regarding this issue is some MSS-affiliated and PLA-affiliated threat groups deployed the remote access trojan to attack their target in February last year.
Other researchers claimed that the BRONZE ATLAS-related threat actors are the authors of the ShadowPad RAT. These actors shared the malware with the Ministry of State Security and the People’s Liberation Army.
Organisations should know about the tactics, techniques, and procedures (TTPs) of ShadowPad operators since they have expanded their attack radius, and anyone could be their next victim.
