ShadowPad
ShadowPad is a sophisticated modular remote access trojan (RAT) / backdoor closely associated with China-based espionage activity. Multiple sources in the content describe it as originally developed by Wicked Panda / Winnti / APT41 / BRONZE ATLAS and later shared or adopted by multiple Chinese state-sponsored threat groups, including MSS- and PLA-linked clusters. It has been in use since at least 2017 and is widely referenced in connection with Chinese APT operations globally.
ShadowPad is modular and can be continuously updated with new functionality. Reported capabilities include collecting host information, executing commands, interacting with the file system and Windows Registry, deploying additional modules, maintaining persistence, deleting arbitrary Registry values, and injecting an install module or decrypted payload into newly created processes. Secureworks described modules including Root, Plugins, Online, Config, Install, and DNS. The malware is commonly decrypted and executed in memory using custom algorithms that vary by version.
A common execution pattern is DLL side-loading / DLL search order hijacking using legitimate signed executables. Observed legitimate host binaries in the content include AppLaunch.exe, hpqhvind.exe, consent.exe, TosBtKbd.exe, BDReinit.exe, Oleview.exe, and a legitimate BitDefender binary. Both two-file and three-file chains are described, with the encrypted payload either embedded in the malicious DLL loader or stored in a separate companion file such as .dat or .mui. ShadowPad commonly copies components into subdirectories under C:\ProgramData, C:\Users<username>\Roaming, or C:\Program Files, may create a Windows service and/or Run key for persistence, and has been observed storing encrypted payloads in the registry under HKLM\SOFTWARE\Classes\CLSID{GUID}<eight-character hexadecimal string>. Specific persistence artifacts mentioned include copying itself to C:\ProgramData\ALGS\Algs.exe and creating a service named Algs.
The malware is strongly linked to major supply-chain compromises. The content states ShadowPad was used in the 2017 CCleaner and NetSarang incidents and was linked to the ASUS Live Update supply-chain attack known as ShadowHammer. In the ASUS case, attackers distributed a trojanized, legitimately signed ASUS update between June and November 2018; the malware checked embedded hashed MAC addresses to identify roughly 600 intended victims and contacted asushotfix.com to retrieve a second-stage payload. U.S. DOJ indictments in 2020 linked APT41-associated actors to supply-chain attacks involving CCleaner, ShadowPad, and ShadowHammer.
The content associates ShadowPad with numerous threat actors and campaigns beyond APT41/Winnti/BRONZE ATLAS, including BRONZE UNIVERSITY, RedFoxtrot, Earth Krahang, SteppeDriver, Space Pirates, and unknown clusters exploiting Microsoft Exchange ProxyLogon vulnerabilities. It has been observed alongside or in environments also containing PlugX, COOLCLIENT, CurlyDoor, RudeGull, MKTDownloader, Cobalt Strike, and other tooling. Several sources note that ShadowPad is often described as a successor or evolution of PlugX, though PlugX remains in heavy use.
Targeting linked to ShadowPad in the content spans government, telecommunications, software development, real estate, energy, transportation, natural resources, NGOs, academia, manufacturing, finance, and other sectors across Asia, the Middle East, Europe, South America, Mongolia, Russia, and elsewhere. Reported victim examples include a software development company in Asia, a real estate company in the Middle East, Mongolian government-linked environments, and organizations compromised through Exchange ProxyLogon exploitation.
High-confidence indicators and artifacts directly mentioned in the content include the domain asushotfix.com from the ASUS ShadowHammer operation; execution chains using BDReinit.exe + log.dll + log.dll.dat, Oleview.exe + iviewers.dll + iviewers.dll.dat, consent.exe + secur32.dll + secur32.dll.dat, and AppLaunch.exe + mscoree.dll + mscoree.dll.dat / mscoree.dll.mui; the TSVIPSrv.DLL hijacking technique via the Windows SessionEnv Service; registry storage under HKLM\SOFTWARE\Classes\CLSID{GUID}<eight-character hexadecimal string>; and the service/persistence path C:\ProgramData\ALGS\Algs.exe with service name Algs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
19 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
ShadowPad is a modular remote access Trojan (RAT) that is closely associated with China-based APT groups. Because of its modular nature, ShadowPad can be continuously updated with new functionalities.
Among our finds on the server were utilities for lateral movement... The server had the following utilities: Utilities to check for and exploit vulnerability MS17-010... The hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire subnet.
In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to running shellcode... Rule names: EE_Loader EE_Dropper WinRAR_ADS_Traversal References / Resources: WinRAR CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-8088
The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. | CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in TrueConf Client, tracked as CVE-2026-3502 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-3502 is a flaw in TrueConf Client that allows it to download and install updates without verifying them. Attackers who can tamper with the update source can deliver malicious files, leading to arbitrary code execution on the system.
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. | References include https://securelist.com/shadowpad-in-corporate-networks/81432/ and a Kaspersky press release about 'ShadowPad attackers' hiding a backdoor in software used by hundreds of large companies worldwide. The description states the malicious nssock2.dll implements a multi-stage, DNS-based backdoor.
After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919. | The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the ‘C:\PerfLogs\’ directory of targeted internal systems.
They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. | A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access.
They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. | A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access.
“We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.” / “During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn …”
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...источником их заражения оказался почтовый сервер Exchange, который оказался скомпрометированным еще летом 2024 года с помощью эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...ShadowPad Malware Actively Exploits WSUS Vulnerability... exploiting CVE-2025-59287 for initial access...
...exploited a public-facing Citrix NetScaler Gateway appliance, likely CVE-2023-3519, for initial access and deployed SnappyBee (also known as Deed RAT)... CVE-2023-3519 is a critical remote code execution (RCE) vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway appliances.
Groups observed using it
23 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This includes an unreported cluster dubbed SteppeDriver that was first discovered in 2024 and has since targeted entities in France, Mongolia, and South America using tools like ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader.
Using our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim environments.
Using our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim environments.
ShadowPad is a sophisticated modular remote access trojan (RAT). Though originally developed by Wicked Panda threat actors, ShadowPad is currently used by multiple Chinese state-sponsored threat actor groups.
ShadowPad is a modular remote access Trojan (RAT) that is closely associated with China-based APT groups. Because of its modular nature, ShadowPad can be continuously updated with new functionalities.
ShadowPad is a modular remote access Trojan (RAT) that is closely associated with China-based APT groups. Because of its modular nature, ShadowPad can be continuously updated with new functionalities.
ShadowPad is a modular remote access Trojan (RAT) that is closely associated with China-based APT groups. Because of its modular nature, ShadowPad can be continuously updated with new functionalities.
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017.
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017.
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017.
Злоумышленники также используют и хорошо известное ВПО: PlugX, ShadowPad, Poison Ivy, модифицированный вариант PcShare и публичный шелл ReVBShell.
Злоумышленники также используют и хорошо известное ВПО: PlugX, ShadowPad, Poison Ivy, модифицированный вариант PcShare и публичный шелл ReVBShell.
Злоумышленники также используют и хорошо известное ВПО: PlugX, ShadowPad, Poison Ivy, модифицированный вариант PcShare и публичный шелл ReVBShell.
A connection with the ShadowPad backdoor, which is now used by at least five different threat actors, was also found.
A connection with the ShadowPad backdoor, which is now used by at least five different threat actors, was also found.
THREAT ACTOR NAME Webworm (linked: SixLittleMonkeys, FishMonger; cross-tracker: Space Pirates, ShadowPad / SNAPPYBEE)
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
The group’s toolset spans Linux implants—RushDrop, DriveSwitch, SilentRaid, and Bulbature—and Windows payloads such as RedLeaves and ShadowPad.
Earth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more.
"...led to the deployment of ShadowPad that's obfuscated using ScatterBrain."
"...led to the deployment of ShadowPad that's obfuscated using ScatterBrain."
"...led to the deployment of ShadowPad that's obfuscated using ScatterBrain."
They said LuoYu have newly used the following malware since JSAC2021: Malware: XDealer, ShadowPad, PlugX
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueEarth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
Initial Access
3 techniquesMore state-sponsored hacking groups have joined the ongoing attacks targeting tens of thousands of on-premises Exchange servers impacted by severe vulnerabilities tracked as ProxyLogon.
It has been linked to supply chain compromises and for hacking into popular software vendors. Well known software titles with significant installation bases were compromised with malware.
The modus operandi of this group was to compromise developer workstations that had access to source code repositories and then install backdoors and other malware into legitimate software.
Execution
4 techniquesShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules.
In one incident, multiple cmd.exe child processes were launched via hands-on-keyboard activity.
Persistence
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Figure 1 lists configuration information for a ShadowPad sample that reveals command and control (C2) details, the process injection target, and persistence via creation of a service and a registry Run key.
Privilege Escalation
4 techniquesCTU researchers discovered ShadowPad samples sharing behavioral similarities such as injecting the decrypted ShadowPad payload into a newly launched target process... The ShadowPad payload is injected into a child process of the service process that is specified in the ShadowPad configuration information.
GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process. Cardinal RAT injects into a newly spawned process created from a native Windows executable.
Figure 1 lists configuration information for a ShadowPad sample that reveals command and control (C2) details, the process injection target, and persistence via creation of a service and a registry Run key.
Stealth
8 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
CTU researchers discovered ShadowPad samples sharing behavioral similarities such as injecting the decrypted ShadowPad payload into a newly launched target process... The ShadowPad payload is injected into a child process of the service process that is specified in the ShadowPad configuration information.
GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process. Cardinal RAT injects into a newly spawned process created from a native Windows executable.
APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.
CSPY Downloader has the ability to remove values it writes to the Registry.
ShadowPad is decrypted in memory using a custom decryption algorithm... The DLL loader then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm specific to the malware version.
Defense Impairment
1 techniqueThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Discovery
6 techniquesShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules.
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
ShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules.
ShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules.
Collection
1 techniqueT1113 Screen Capture ShadowPad contains a screenshot module
Command and Control
4 techniquesRecorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
Its binaries are packed with ConfuserEX and its command-and-control (C&C) communication is encrypted with the AES algorithm.
ShadowPad This backdoor RAT, reported by Kaspersky in 2017... It is considered to be an evolution of PlugX, both of which originated from China and are used by Chinese APTs (APT41 in particular).
Use of a large number of Dynamic DNS (DDNS) domains which form part of overlapping infrastructure clusters
IOCs tracked for this family
158 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
173 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware tool used by the SteppeDriver cluster in campaigns targeting entities in multiple regions.
A sophisticated modular RAT used for espionage-oriented intrusions. It is delivered via DLL sideloading and DLL search order hijacking, decrypts and executes payloads in memory, gathers host information, executes commands, interacts with the file system and registry, deploys additional modules, and maintains persistence on victim systems.
This puts Showboat along with other shared frameworks like PlugX, ShadowPad, and NosyDoor that have been used by multiple China-nexus groups.
Shared frameworks such as PoisonIvy, ShadowPad, and more recently NosyDoor, have made attribution through this method increasingly difficult.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.