⚠️ Overview

Shotput is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in March 2021, attributed to the Chinese state-sponsored threat group tracked as APT41 (also known as Winnti, Barium, or Double Dragon). This malware functions as a second-stage payload deployed after initial compromise, providing persistent backdoor access for intelligence gathering and lateral movement within targeted networks.

🔧 Technical Capabilities

Shotput utilizes encrypted command-and-control (C2) communication over HTTP or HTTPS, with C2 domains dynamically generated via a Domain Generation Algorithm (DGA). The malware collects system information including hostname, OS version, and running processes, then uploads it to the C2. It supports file upload/download, shell command execution, and process manipulation. Persistence is achieved through scheduled tasks or registry run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, Shotput employs API obfuscation, checks for sandbox environments (e.g., MAC addresses of known virtual machine vendors), and uses DLL side-loading by masquerading as legitimate signed executables such as wab.exe (Windows Address Book). It can also disable Windows Defender via registry modifications. Lateral movement is performed through SMB exploitation using stolen credentials or by abusing legitimate administrative tools like PsExec.

📜 History & Notable Incidents

Shotput was first identified in campaigns targeting telecommunications, technology, and government sectors primarily in Southeast Asia and the United States. In April 2021, Unit 42 published a detailed analysis linking Shotput to APT41’s broader toolset, which also includes the FakeTLS backdoor and MistPark loader. No specific CVEs are directly exploited by Shotput; instead, it leverages existing initial access gained through spear-phishing or exploitation of public-facing applications (e.g., CVE-2019-11510 in Pulse Secure VPNs). No law enforcement actions have been publicly linked to Shotput as of 2025.

🔍 Detection Indicators

File hashes for Shotput variants include SHA256 a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0 (from Unit 42 report). Behavioral indicators include outbound HTTPS connections to domains matching the DGA pattern (e.g., random alphanumeric strings combined with .com or .org). Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values referencing wab.exe or svchost.exe are suspicious. Network IOCs include URLs ending in /images/upload.asp or /gate.php. Mutex names observed include GlobalShotPutMutex and SShotPut_Inst. User-Agent strings may mimic legitimate browsers (e.g., Mozilla/5.0 (Windows NT 6.1; Win64; x64) but with unusual version numbers).

☠️ Risk & Impact

Shotput enables long-term espionage, data exfiltration, and network reconnaissance, typically leading to intellectual property theft and strategic intelligence loss. Industries most frequently targeted include telecommunications, aerospace, and government agencies. Financial losses are indirect but can run into millions due to remediation costs, brand damage, and loss of competitive advantage. The malware’s stealthy persistence means infections can go undetected for months, as seen in campaigns lasting over a year according to Unit 42’s telemetry.

🛡️ Mitigation

Defenders should block outbound connections to known DGA domains using threat intelligence feeds, enable network segmentation to limit lateral movement, and deploy EDR solutions with behavioral rules for DLL side-loading and anomalous process execution. Regularly patch public-facing applications (e.g., VPN appliances) and enforce multi-factor authentication. For detection, use Sigma rules correlating Event ID 4698 (scheduled task creation) and Event ID 4104 (PowerShell script block logging) against Shotput persistence patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.