S0596 ShadowPad
ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. 324
| Item | Value |
|---|---|
| ID | S0596 |
| Associated Names | POISONPLUG.SHADOW |
| Type | MALWARE |
| Version | 1.3 |
| Created | 23 March 2021 |
| Last Modified | 22 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| POISONPLUG.SHADOW | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.4 |
| enterprise | T1071.002 | File Transfer Protocols | ShadowPad has used FTP for C2 communications.4 |
| enterprise | T1071.004 | DNS | ShadowPad has used DNS tunneling for C2 communications.4 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | ShadowPad has encoded data as readable Latin characters.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ShadowPad has decrypted a binary blob to start execution.4 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | ShadowPad uses a DGA that is based on the day of the month for C2 servers.241 |
| enterprise | T1070 | Indicator Removal | ShadowPad has deleted arbitrary Registry values.4 |
| enterprise | T1105 | Ingress Tool Transfer | ShadowPad has downloaded code from a C2 server.2 |
| enterprise | T1680 | Local Storage Discovery | ShadowPad has discovered system information including volume serial numbers.4 |
| enterprise | T1112 | Modify Registry | ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.45 |
| enterprise | T1095 | Non-Application Layer Protocol | ShadowPad has used UDP for C2 communications.4 |
| enterprise | T1027 | Obfuscated Files or Information | ShadowPad has encrypted its payload, a virtual file system, and various files.25 |
| enterprise | T1027.011 | Fileless Storage | ShadowPad maintains a configuration block and virtual file system in the Registry.45 |
| enterprise | T1057 | Process Discovery | ShadowPad has collected the PID of a malicious process.4 |
| enterprise | T1055 | Process Injection | ShadowPad has injected an install module into a newly created process.4 |
| enterprise | T1055.001 | Dynamic-link Library Injection | ShadowPad has injected a DLL into svchost.exe.4 |
| enterprise | T1029 | Scheduled Transfer | ShadowPad has sent data back to C2 every 8 hours.2 |
| enterprise | T1082 | System Information Discovery | ShadowPad has discovered system information including memory status, CPU frequency, and OS versions.4 |
| enterprise | T1016 | System Network Configuration Discovery | ShadowPad has collected the domain name of the victim system.4 |
| enterprise | T1033 | System Owner/User Discovery | ShadowPad has collected the username of the victim system.4 |
| enterprise | T1124 | System Time Discovery | ShadowPad has collected the current date and time of the victim system.4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 96 |
| G1042 | RedEcho | RedEcho has used ShadowPad during intrusions.108 |
| G0081 | Tropic Trooper | 3 |
| G0131 | Tonto Team | 11 |
| G0096 | APT41 | 13 |
| G0143 | Aquatic Panda | Aquatic Panda used ShadowPad as a remote access tool to victim environments.12 |
| G1006 | Earth Lusca | 5 |
| G0060 | BRONZE BUTLER | 3 |
References
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩↩↩
-
GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021. ↩↩↩↩↩↩
-
Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. ↩↩↩↩
-
Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩↩↩↩
-
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025. ↩
-
Dragos. (2022). 2021 ICS Cybersecurity Year in Review. Retrieved November 21, 2024. ↩
-
Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024. ↩
-
Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. ↩
-
Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024. ↩
-
Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. ↩
-
CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. ↩