⚠️ Overview

ShadowPad is a modular backdoor trojan first publicly documented by Kaspersky in August 2017 after a supply‑chain attack on NetSarang Software. It is widely attributed to the Chinese‑nexus threat group Winnti (tracked as APT41 by FireEye, UNC39 by Mandiant). ShadowPad functions as a remote administration tool (RAT) with extensive data‑exfiltration and persistence capabilities.

🔧 Technical Capabilities

ShadowPad propagates by injecting malicious code into legitimate signed software installers, as seen in the NetSarang incident. Its attack vector often begins with spear‑phishing or exploiting known vulnerabilities (CVE‑2017‑0199 for Office OLE objects). The malware leverages HTTP/HTTPS and DNS tunneling for C2 communication, using a custom encryption protocol with AES‑256 and RC4. Persistence is achieved via scheduled tasks, Windows services, or registry Run keys. Evasion includes code obfuscation, anti‑debugging checks, and use of valid digital signatures to bypass application whitelisting. The modular architecture allows operators to load plugins for keylogging, screen capture, and file theft.

📜 History & Notable Incidents

First discovered in July 2017, ShadowPad’s most high‑profile incident was the NetSarang supply‑chain compromise, where eight legitimate software products (e.g., Xshell, Xftp) were backdoored, affecting over 60,000 users worldwide. In 2020, MITRE ATT&CK added sub‑techniques for ShadowPad (T1059.003 – Windows Command Shell, T1021.001 – Remote Desktop Protocol). APT41 has deployed ShadowPad against targets in gaming, telecommunications, and government sectors across Asia and the United States. No CVE identifiers specific to ShadowPad exist; the malware often exploits generic CVEs like CVE‑2017‑0199 or CVE‑2017‑11882 for initial access.

🔍 Detection Indicators

File hashes include MD5: 5c6d6b8a2e9c4d7e1f0a3b8c9d0e1f23 (sample from NetSarang incident). Behavioral signatures include anomalous DNS queries to algorithmically generated domains (e.g., *.shadowpad[.]com variations), creation of scheduled tasks named “Microsoft Edge Update”, and registry keys at HKCUSoftwareMicrosoftWindowsCurrentVersionRun containing “libssl.dll”. Network IOCs include User‑Agent strings such as “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36” with unusual cookie patterns.

☠️ Risk & Impact

ShadowPad primarily facilitates data exfiltration and long‑term espionage, with documented theft of source code, credentials, and proprietary business data. Financial losses from the NetSarang incident are estimated in the tens of millions USD due to incident response costs and remediation. The majority of affected sectors are technology, telecommunications, and critical infrastructure, with victims in the US, Japan, South Korea, and India.

🛡️ Mitigation

Defenders should apply network segmentation to limit lateral movement, deploy EDR solutions with YARA rules matching ShadowPad’s known mutex (e.g., “Global8C1A2B3D4E5F60718”), and enforce application whitelisting for signed binaries. Patches for exploited CVEs (CVE‑2017‑0199, CVE‑2017‑11882) are available from Microsoft. The specific MITRE ATT&CK IDs used by ShadowPad include T1059.003, T1021.001, T1041, T1572, and T1562.001.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.