AhnLab and South Korea’s NCSC have revealed detailed insights into TA-ShadowCricket, a covert and advanced threat group linked to China that has operated for over a decade targeting Asia-Pacific networks. The group employs sophisticated malware and command-and-control infrastructure to conduct espionage and long-term data theft. #ShadowForce #TA-ShadowCricket
Keypoints
- TA-ShadowCricket, formerly Shadow Force, has been active since 2012, primarily targeting Asia-Pacific governments and enterprises.
- The group operates a command-and-control IRC server controlling over 2,000 compromised systems worldwide, with many affected IPs in China and South Korea.
- Its malware toolkit includes tools for reconnaissance, remote control, persistence, and data theft, such as Maggie backdoor and CredentialStealer.
- The group uses advanced techniques like DLL injection with Pemodifier and SQL Server-based malware to maintain stealth and persistence.
- While evidence suggests a Chinese nexus, the presence of coin miners and embedded nicknames complicate attribution and raise questions about the group’s true nature.
Read More: https://securityonline.info/decade-of-stealth-china-linked-ta-shadowcricket-targets-asia-pacific/