In recent developments, the notorious ShadowPad malware has continued to be utilized by various Chinese cyber threat groups since its emergence in 2017. This Windows backdoor allows attackers to deploy additional malicious modules or exfiltrate sensitive information, raising serious concerns among cybersecurity professionals.
SentinelOne researchers Yi-Jhen Hsieh and Joey Chen describe ShadowPad as a “masterpiece of privately sold malware in Chinese espionage,” emphasizing that its adoption by threat actors notably decreases their development and maintenance costs. Recent analysis indicated that some groups have halted their own backdoor development in favor of leveraging ShadowPad’s capabilities.
ShadowPad gained significant notoriety following high-profile supply chain attacks involving firms such as NetSarang, CCleaner, and ASUS. This shift in tactics forced operators to enhance their defensive strategies, employing advanced anti-detection and persistence techniques to evade cybersecurity measures.
In recent attacks, ShadowPad has targeted organizations in Hong Kong and critical infrastructure entities in India, Pakistan, and several Central Asian countries. Although the majority of these incidents have been attributed to the APT41 group, the malware is also utilized by various Chinese espionage factions, including Tick, RedEcho, RedFoxtrot, and clusters identified as Operation Redbonus, Redkanku, and Fishmonger.
The Fishmonger group employs ShadowPad alongside another backdoor, Spyder, for long-term surveillance, while also deploying first-stage backdoors like FunnySwitch and BIOPASS RAT during initial infiltration phases. Victims of these campaigns span sectors including universities, government institutions, the media, technology firms, and healthcare organizations engaged in COVID-19 research across regions such as Hong Kong, Taiwan, India, and the United States.
The underlying mechanism of ShadowPad involves a dynamic loader that decrypts and executes a Root plugin in memory. This process allows for the on-the-fly deployment of additional plugins from a remote command-and-control (C2) server, granting attackers the ability to enhance the malware’s functionalities beyond its original capabilities. To date, researchers have identified at least 22 distinct plugins associated with this malware.
Control of infected systems is maintained through a Delphi-based controller that facilitates backdoor communications, updates to C2 infrastructure, and management of deployed plugins. Interestingly, the components of ShadowPad are sold individually, meaning users cannot acquire a comprehensive suite of plugins, with most samples featuring fewer than nine plugins from a collection of around 100.
Furthermore, the emergence of ShadowPad highlights a shift in the cyber threat landscape, providing actors with a robust alternative to self-developed backdoors. Described as well-crafted and likely developed by experienced malware designers, ShadowPad exemplifies ongoing advancements in both its functionality and anti-forensic capabilities.
