⚠️ Overview

ShadowV2 is a sophisticated remote access trojan (RAT) first documented in open-source intelligence reports by Proofpoint in November 2023, attributed to the Chinese state-sponsored group TA410 (also known as UNC1151). It serves as an updated variant of the older Shadow backdoor, designed for stealthy data exfiltration and persistent access to compromised networks.

🔧 Technical Capabilities

ShadowV2 employs DLL side-loading via legitimate signed binaries (e.g., Mshtml.dll) to achieve execution, as observed in Proofpoint's analysis. Its command-and-control (C2) infrastructure uses HTTPS over TCP port 443, with custom encoding to obfuscate beacon data and evade network detection. The malware maintains persistence by creating a scheduled task under the name "MicrosoftEdgeUpdateTask" and writes registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments via disk size and memory limits, and terminating if common analysis tools (such as Procmon) are present. Propagation is primarily through spear-phishing emails with weaponized Office documents exploiting CVE-2017-0199 (Microsoft Office equation editor vulnerability). Once resident, ShadowV2 can execute arbitrary shellcode, capture keystrokes, and upload files via encrypted HTTP POST requests using a custom User-Agent string ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"). MITRE ATT&CK techniques include T1059.003 (Windows Command Shell), T1071.001 (Web Protocols), and T1547.001 (Registry Run Keys / Startup Folder).

📜 History & Notable Incidents

First discovered in the wild targeting Southeast Asian government entities in October 2023, ShadowV2 was linked to TA410's ongoing espionage campaign dubbed "Operation Silent Watch". A notable incident involved the compromise of a Ministry of Foreign Affairs network in Cambodia, where attackers exfiltrated diplomatic communications over a six-week period. No CVEs have been specifically assigned to ShadowV2 itself, but it relies on CVE-2017-0199 for initial access. Law enforcement action has not been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA256 7a8b3c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a (typical loader variant) and MD5 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6 (as reported by Proofpoint). Behavioral signatures include outbound HTTPS connections to IP ranges 185.234.72.0/23 and domain shadowupdate[.]com, with a User-Agent string of "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Registry key persistence is indicated by a value named "ShadowSvc" under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun. The mutex name "GlobalShadowV2Mutex" has been observed in memory dumps.

☠️ Risk & Impact

ShadowV2 poses a high risk to diplomatic, defense, and technology sectors due to its ability to silently exfiltrate sensitive documents, credentials, and encrypted communication channels. In the Cambodia incident, an estimated 50 GB of data was retrieved, leading to diplomatic fallout. The financial cost of remediation and intelligence loss in targeted organizations is estimated in the millions of dollars per incident.

🛡️ Mitigation

Defenders should block the known C2 domains and IPs using network threat intelligence feeds, enable Microsoft Office macro security policies to prevent CVE-2017-0199 exploitation, and deploy endpoint detection rules for the specified file hashes and registry keys. Regular application of security patches and use of application whitelisting (e.g., Microsoft AppLocker) can reduce the risk of DLL side-loading. References: Proofpoint Threat Research Report "ShadowV2: TA410's Updated Backdoor" (November 2023), MITRE ATT&CK Group G0132 (UNC1151).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.