Freely subscribe to our NEWSLETTER

Key findings include:

• It is likely that ShadowPad is a privately sold modular malware rather than a privately shared attack framework, and the seller is likely selling each plugin separately instead of offering a full bundle with all of the currently available plugins.

• The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors. Some threat groups stopped developing their own backdoors after they gained access to ShadowPad, and ShadowPad is regularly updated with more advanced anti-detection and persistence techniques.

• SentinelOne has identified at least five activity clusters of ShadowPad users since 2017: APT41, Tick & Tonto Team, Operation Redbonus, Operation Redkanku, Fishmonger. BARIUM (Rose and Zhang Haoran) was one of the earliest threat groups with access to ShadowPad. Aside from some smaller-scale attacks against the gaming industry, they were accountable for several supply chain attacks from 2017 to 2018. Some of their victims included NetSarang, ASUS, and allegedly, CCleaner.

• Considering the long-term affiliation relationship between Rose and whg, Rose likely had high privilege access to – or was a co-developer of – ShadowPad, and other close affiliates in Chengdu were likely sharing resources. This could also explain why BARIUM was able to utilise a special version of ShadowPad in some of their attacks.

• Another subgroup, LEAD, also used ShadowPad along with other backdoors to attack victims for both financial and espionage purposes. They were reported to attack electronic providers and consumers, universities, telecommunication, NGO and foreign governments.