shadowpad

ShadowPad is malware/tooling referenced in the provided content in connection with advanced intrusion activity and a later campaign exploiting a Microsoft WSUS remote code execution vulnerability (CVE-2025-59287). The content associates related DLL sideloading activity with ShadowPad, also referred to in one cited context as “NetSarang.” Reported activity targeted government organizations in Asia, and the report notes that DLL sideloading has historically been a favored technique of China-based APT groups, but the content does not directly and conclusively attribute ShadowPad itself to a specific state. In the detailed intrusion reporting, activity linked elsewhere to ShadowPad/NetSarang involved repeated DLL sideloading using legitimate signed applications including Cisco Webex components, VLC Media Player, Razer Chromium Render Process, Microsoft Symbol Server Builder, and a Bitdefender Crash Handler executable. The cases described shared infrastructure, loader shellcode, and code-flow obfuscation. Observed behaviors included encrypted plugin loading, reverse shell execution, process hollowing, UAC bypass via CMSTPLUA and via fodhelper.exe/ComputerDefaults.exe, service creation, autorun persistence, and anti-security actions such as attempting to stop Kaspersky avp.exe. One case involved a USB worm that propagated via removable drives. VirusTotal hunting linked 2022 activity to related 2021 samples, including a sideloading chain previously reported in association with ShadowPad or NetSarang. Separately, the content states that ShadowPad malware was used in attacks exploiting WSUS RCE vulnerability CVE-2025-59287 and that the campaign used the vulnerability to establish persistence on compromised systems.