Skip to content

S0596 ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. 324

Item Value
ID S0596
Version 1.2
Created 23 March 2021
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.4
enterprise T1071.002 File Transfer Protocols ShadowPad has used FTP for C2 communications.4
enterprise T1071.004 DNS ShadowPad has used DNS tunneling for C2 communications.4
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding ShadowPad has encoded data as readable Latin characters.2
enterprise T1140 Deobfuscate/Decode Files or Information ShadowPad has decrypted a binary blob to start execution.4
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms ShadowPad uses a DGA that is based on the day of the month for C2 servers.241
enterprise T1070 Indicator Removal ShadowPad has deleted arbitrary Registry values.4
enterprise T1105 Ingress Tool Transfer ShadowPad has downloaded code from a C2 server.2
enterprise T1112 Modify Registry ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.45
enterprise T1095 Non-Application Layer Protocol ShadowPad has used UDP for C2 communications.4
enterprise T1027 Obfuscated Files or Information ShadowPad has encrypted its payload, a virtual file system, and various files.25
enterprise T1027.011 Fileless Storage ShadowPad maintains a configuration block and virtual file system in the Registry.45
enterprise T1057 Process Discovery ShadowPad has collected the PID of a malicious process.4
enterprise T1055 Process Injection ShadowPad has injected an install module into a newly created process.4
enterprise T1055.001 Dynamic-link Library Injection ShadowPad has injected a DLL into svchost.exe.4
enterprise T1029 Scheduled Transfer ShadowPad has sent data back to C2 every 8 hours.2
enterprise T1082 System Information Discovery ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.4
enterprise T1016 System Network Configuration Discovery ShadowPad has collected the domain name of the victim system.4
enterprise T1033 System Owner/User Discovery ShadowPad has collected the username of the victim system.4
enterprise T1124 System Time Discovery ShadowPad has collected the current date and time of the victim system.4

Groups That Use This Software

ID Name References
G0081 Tropic Trooper 3
G1006 Earth Lusca 5
G0096 APT41 13
G0131 Tonto Team 6