ShadowPad is an advanced modular RAT deployed by Chinese government–sponsored actors since at least 2017, with broader activity by MSS and PLA-linked groups globally since 2019. CTU analysis shows ShadowPad uses in-memory decryption, DLL loaders sideloaded by legitimate apps, and multi-file execution chains to enable persistence, command execution, and C2 communications. #ShadowPad #BRONZEATLAS #BRONZEUNIVERSITY #MSS #PLA #ICEKILLER #DLLHijacking
Keypoints
- ShadowPad has been deployed by BRONZE ATLAS since at least 2017, with broader use by MSS/PLA-affiliated groups globally from 2019.
- Attacks commonly use two-file or three-file execution chains where a ShadowPad DLL loader is sideloaded by a legitimate executable vulnerable to DLL search order hijacking.
- The malware decrypts the ShadowPad payload in memory using a custom decryption algorithm and supports multiple versions.
- ShadowPad achieves persistence and C2 via Windows services, registry Run keys, and process injection into a target process.
- Threat actors target a range of sectors and regions, with clusters linked to PLA theater commands (Northern, Western, Southern) and organizations such as BRONZE HUNTLEY, BRONZE BUTLER, and BRONZE GENEVA.
- Historical campaigns include supply-chain intrusions (e.g., CCleaner, NetSarang, ASUS Live Update) and potential overlaps with PlugX and “Rose” actors.
- CTU/third-party research links ShadowPad development to BRONZE ATLAS and suggests collaboration across MSS/PLA networks, including near-abroad theater command operations.
MITRE Techniques
- [T1059.003] Windows Command Shell – In one incident, multiple cmd.exe child processes were launched via hands-on-keyboard activity. “In one incident, multiple cmd.exe child processes were launched via hands-on-keyboard activity”
- [T1543.003] Create/Modify System Process – The legitimate executable is launched as a Windows service. “the legitimate executable is launched as a Windows service.”
- [T1055] Process Injection – ShadowPad payload is injected into a child process of the service process. “The ShadowPad payload is injected into a child process of the service process that is specified in the ShadowPad configuration information.”
- [T1574.001] Hijack Execution Flow – DLL Search Order Hijacking / Sideloading – ShadowPad is sideloaded by a legitimate executable vulnerable to DLL search order hijacking. “sideloaded by a legitimate executable vulnerable to DLL search order hijacking.”
- [T1027.001] Obfuscated/Compressed Files and Information – ShadowPad is decrypted in memory using a custom decryption algorithm. “ShadowPad is decrypted in memory using a custom decryption algorithm.”
- [T1112] Modify Registry – Persistence via creation of a service and a registry Run key. “persistence via creation of a service and a registry Run key.”
- [T1071.001] Web Protocols – ShadowPad communicates with C2 domains/IPs; C2 details are documented. “Figure 1 lists configuration information for a ShadowPad sample that reveals command and control (C2) details.”
Indicators of Compromise
- [Domain] ShadowPad C2 servers – billing.epac.to, www.cloudvn.info, phiinoc.dnsdyn.net, stratorpriv.lubni23.com, exat.dnset.com, and other BRONZE/ShadowPad domains (context: listed as ShadowPad C2 servers)
- [MD5 hash] 9d686ceed21877821ab6170a348cc073, 27d889c351ac2f48d31b91d06061ec8d (context: ShadowPad DLL loader ICEKILLER variant)
- [SHA1 hash] 3ebeb4e08c82b220365b1e7dd0cc199b7, f5b7ea5e705655a1bc08030b601443088a5af4dd (context: ShadowPad DLL loader ICEKILLER variant)
- [SHA256 hash] 9c28c1b2ff0a84c8b667f128626f28b17 3feb07481192e214b5a29b98964a7f9, d48e671df571b76ee94c734bdd5272e12fcd1362f1d75138ff547bc2bc0c31ef (context: ShadowPad DLL loader ICEKILLER variant)
- [IP address] 172.197.18.30, 172.200.21.190 (context: ShadowPad C2 servers)
- [Domain] vsmrcil.casacam.net, exat.dnset.com, secupdate.kozow.com, www.cloudvn.info (context: ShadowPad C2 servers)
Read more: https://www.secureworks.com/research/shadowpad-malware-analysis